[c-nsp] ICMP PAT

Rodney Dunn rodunn at cisco.com
Wed Jun 4 10:43:48 EDT 2008 

I couldn't make that happen in the lab:

R1_#
*Jun  4 14:40:55.344: NAT*: i: icmp (1.1.1.1, 6) -> (2.2.2.2, 6) [25]
*Jun  4 14:40:55.344: NAT*: i: icmp (1.1.1.1, 6) -> (2.2.2.2, 6) [25]
*Jun  4 14:40:55.344: NAT*: s=1.1.1.1->192.168.1.1, d=2.2.2.2 [25]
*Jun  4 14:40:55.348: NAT*: i: icmp (1.1.1.1, 6) -> (2.2.2.2, 6) [26]
*Jun  4 14:40:55.348: NAT*: s=1.1.1.1->192.168.1.1, d=2.2.2.2 [26]
*Jun  4 14:40:55.352: NAT*: i: icmp (1.1.1.1, 6) -> (2.2.2.2, 6) [27]
*Jun  4 14:40:55.352: NAT*: s=1.1.1.1->192.168.1.1, d=2.2.2.2 [27]
*Jun  4 14:40:55.360: NAT*: i: icmp (1.1.1.1, 6) -> (2.2.2.2, 6) [28]
*Jun  4 14:40:55.360: NAT*: s=1.1.1.1->192.168.1.1, d=2.2.2.2 [28]
R1_#
R1_#debug ip nat det
R1_#sh ip nat trans 
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.1.1:6     1.1.1.1:6          2.2.2.2:6          2.2.2.2:6
--- 192.168.1.1        1.1.1.1            ---                ---
R1_#
R1_#

interface Ethernet0/0
ip address 1.1.1.2 255.255.255.0
 ip nat inside
interface Ethernet1/0
 ip address 2.2.2.1 255.255.255.0
 ip nat outside
R1_#      
ip nat inside source static 1.1.1.1 192.168.1.1
R1_#

Those are pings from out to in matching a static nat entry.

Can you elaborate or show us an example of where you are seeing
it and try:

R1_(config)#no ip nat create ?
  flow-entries  NAT create flow based entries



On Wed, Jun 04, 2008 at 10:11:11AM -0300, Everton da Silva Marques wrote:
> On Wed, Jun 04, 2008 at 12:23:32AM +0300, Ibrahim Abo Zaid wrote:
> > Hi Oli
> > 
> > I read that @
> > http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a00801af2b9.html
> > 
> > best regards
> > --Abo Zaid
> > 
> > On Tue, Jun 3, 2008 at 7:03 PM, Oliver Boehmer (oboehmer) <
> > oboehmer at cisco.com> wrote:
> > 
> > > Ibrahim Abo Zaid <> wrote on Tuesday, June 03, 2008 10:46 AM:
> > >
> > > > Hi All
> > > >
> > > > according to Cisco docs , if ICMP PAT  is configured , ICMP packets
> > > > sequence numbers are associated to ports in NAT table means a
> > > > continuous traffic between a source and
> > > > a destination can create up to 65535 entries in NAT table !!!
> > > >
> > > > is that right , 65K entries for single flow ?
> > >
> > > no, a continuous ping creates a single entry in the NAT table (just
> > > checked).. where did you read the above?
> 
> Hi Oliver,
> 
> I recently saw the following under c1841-ipbasek9-mz.124-15.T5.bin:
> 
> interface FastEthernet0/0
>  ip address 200.xxx.yyy.171 255.255.255.248
>  ip nat outside
> 
> interface FastEthernet0/1
>  ip address 10.0.0.1 255.255.255.0
>  ip nat inside
> 
> ip nat inside source static 10.0.0.4 200.xxx.yyy.173
> 
> PING requests sent from 10.0.0.4 were translated with
> one single static NAT entry.
> 
> However, every PING request from outside towards
> 200.xxx.yyy.173 would create a dynamic NAT entry.
> Thus a continuous PING resulted in the NAT table
> growing continuosly...
> 
> This behavior surprised me but I didn't have the
> chance to investigate it further. Can you tell
> whether this behavior is actually intended?
> 
> Cheers,
> Everton
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list