[nsp] what does cisco NAT do with errant packets?

[Gert Doering]

Hi,

On Wed, Jan 22, 2003 at 10:34:40AM -0800, Mark Kent wrote:
> I'm seeing some weird behavior with a NAT'ed customer 
> on the far end of a T1 (cisco both ends).  Here is my conclusion:
> 
> It looks like traffic destined for the NAT ip address that does not
> correspond to an entry in the NAT translation table gets routed back out
> (likely following the default route).
> 
> That is, suppose A.B.C.D is in the NAT pool and a packet comes in 
> destined for A.B.C.D tcp port X, but there is no translation entry
> for A.B.C.D tcp port X and no map, etc.   Then, that packet is routed
> out the default route on the router.
> 
> Can anyone verify that this is what cisco NAT does in this scenario?

It matches what I have observed as well.

> And, if so, does this seem like a reasonable strategy?

It's the way it is :-) - if you don't want this, put the NAT pool as
as an IP range onto the router's loopback interface, or as secondaries
on the LAN.

> I think this could lead to an unimaginative denial of service attack 
> since each packet would zip around the T1 end-points until the TTL expires. 

Of course we all do "ip verify unicast reverse" and will drop the packet
as soon as it bounces back, no? :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de