[c-nsp] "extendable, incomplete" NAT entries
oldnick
oldnick.nsp at gmail.com
Tue Oct 13 10:40:08 EDT 2015
Hi all,
We are observing strange problem regarding NAT. Two of our boxes (Cisco 7201) with NAT enabled
create "extendable, incomplete" NAT entries, like this:
--- 172.16.100.10 192.168.20.20 --- ---
create 18:00:36, use 00:00:29 timeout:86400000, left 23:59:30, Map-Id(In): 32,
flags:
extendable, incomplete, use_count: 7, entry-id: 2949, lc_entries: 0
Main problem is that with such entries present in the NAT table, inside host is reachable from the
outside by global address, and this is obvious security flaw. We had 15.1(4)M4 on this boxes, then
changed it to 15.2(4)M8, but without success, entries are still appearing from time to time. NAT
configuration is really simple: dynamic translations with pools, route-maps and access-lists.
Thanks in advance
--
Regards, Sergey
More information about the cisco-nsp
mailing list