[c-nsp] PAT allowing incoming translations?
Kevin Graham
mahargk at gmail.com
Tue Feb 8 10:17:14 EST 2005
On Tue, 8 Feb 2005 09:01:58 -0600, Brian Feeny <signal at shreve.net> wrote:
>
> I was under the (possibly wrong) impression that PAT does not allow any
> incoming translations unless you specifically define them. I have a
> router, running PAT, and If I telnet to port 135 of the pools single
> address, it connects me to port 135 of one of my inside windows boxes.
In some cases, a NAT overload will result in a 1:1 mapping (I never
looked into the details of what causes it, but I would presume its a
result of IOS accomodating some NAT un-friendly traffic). It was a
surprise to me too, but it does happen.
This is why you really want to combine your NAT configs w/ ip inspect
(cbac)... (Now if only IOS didn't do protocol inspection separately
for NAT, CBAC, and NBAR).
More information about the cisco-nsp
mailing list