Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

More NAT caveats

A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.

Please read our Blog Commenting Policy before writing a comment.


  1. Shouldn't this be a bug (and potential DoS security issue) to be filed with TAC, rather than just a "caveat" to be documented?

  2. Well, the configuration that permits outside addresses in the inside access-list or route-map has been unsupported "forever" (see the comments to the related post), it's just that with 12.4T we're gettting hit with the consequences of using unsupported configuration.


Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.