A month ago I wrote about NAT caveats in Cisco IOS release 12.4 that occur when the outside addresses match IP access list or route map used in ip nat inside command. I recently discovered more caveats: if you have an inbound access-list on the outside interface, the packets dropped by the access-list still generate NAT entries (and might result in a denial-of-service attack when the router runs out of port numbers). You can read the whole NAT caveats article in the CT3 wiki.
Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.
Posts
Shouldn't this be a bug (and potential DoS security issue) to be filed with TAC, rather than just a "caveat" to be documented?
ReplyDeleteWell, the configuration that permits outside addresses in the inside access-list or route-map has been unsupported "forever" (see the comments to the related post), it's just that with 12.4T we're gettting hit with the consequences of using unsupported configuration.
ReplyDelete