[c-nsp] "extendable, incomplete" NAT entries

Nick Cutting ncutting at edgetg.co.uk
Tue Oct 13 14:31:09 EDT 2015 

And in new versions of IOS - it adds it to the config, whether you added the keyword it or not:

On a CSR 15.5 (INE LAB):

R5#sh run | s nat
 ip nat outside
 ip nat inside
ip nat inside source static tcp 155.1.8.8 80 202.221.217.114 80 extendable
ip nat inside source static 155.1.10.10 202.221.217.114

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Cutting
Sent: 13 October 2015 19:28
To: oldnick; cisco-nsp at puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries

Extendable usually means that there is a static 1-to1 nat AND a port nat on the same entry, not sure about incomplete though - you must be confusing the router

"The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address."


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of oldnick
Sent: 13 October 2015 19:22
To: cisco-nsp at puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries



On 10/13/2015 05:51 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Oct 13, 2015 at 05:40:08PM +0300, oldnick wrote:
>> Main problem is that with such entries present in the NAT table, 
>> inside host is reachable from the outside by global address, and this is obvious security flaw.
>
> Your *problem* is a funny security architecture, relying on NAT... ;-)
Valid point. But nevertheless, I find it quite interesting why such entries could be created. My google-foo didn't give any possible explanation and 7201 box is EOL, so no TAC support.

NAT configuration of this boxes looks like this:

ip nat pool test-nat 172.16.100.10 172.16.100.10 prefix-length 24

ip nat inside source route-map test-nat-map pool test-nat overload

route-map test-nat-map permit 10
  match ip address test-nat-acl

ip access-list extended test-nat-acl
  deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255
  permit ip 192.168.20.0 0.0.0.255 any

May be someone had an experience regarding under what conditions could "extendable, incomplete" 
entries be created?

Thanks

>
> But without seeing the actual configuration of the routers, it is just 
> a bit hard to comment where the "extensible" part is coming from - it 
> could just be configured that way.


>
> gert
>

--
Regards, Sergey
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list