[c-nsp] "extendable, incomplete" NAT entries
oldnick
oldnick.nsp at gmail.com
Tue Oct 13 14:21:42 EDT 2015
On 10/13/2015 05:51 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Oct 13, 2015 at 05:40:08PM +0300, oldnick wrote:
>> Main problem is that with such entries present in the NAT table, inside host is reachable from the
>> outside by global address, and this is obvious security flaw.
>
> Your *problem* is a funny security architecture, relying on NAT... ;-)
Valid point. But nevertheless, I find it quite interesting why such entries could be created. My
google-foo didn't give any possible explanation and 7201 box is EOL, so no TAC support.
NAT configuration of this boxes looks like this:
ip nat pool test-nat 172.16.100.10 172.16.100.10 prefix-length 24
ip nat inside source route-map test-nat-map pool test-nat overload
route-map test-nat-map permit 10
match ip address test-nat-acl
ip access-list extended test-nat-acl
deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
May be someone had an experience regarding under what conditions could "extendable, incomplete"
entries be created?
Thanks
>
> But without seeing the actual configuration of the routers, it is just
> a bit hard to comment where the "extensible" part is coming from - it
> could just be configured that way.
>
> gert
>
--
Regards, Sergey
More information about the cisco-nsp
mailing list