[c-nsp] "extendable, incomplete" NAT entries

Nick Cutting ncutting at edgetg.co.uk
Tue Oct 13 14:27:47 EDT 2015 

Extendable usually means that there is a static 1-to1 nat AND a port nat on the same entry, not sure about incomplete though - you must be confusing the router

"The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address."


-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of oldnick
Sent: 13 October 2015 19:22
To: cisco-nsp at puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries



On 10/13/2015 05:51 PM, Gert Doering wrote:
> Hi,
>
> On Tue, Oct 13, 2015 at 05:40:08PM +0300, oldnick wrote:
>> Main problem is that with such entries present in the NAT table, 
>> inside host is reachable from the outside by global address, and this is obvious security flaw.
>
> Your *problem* is a funny security architecture, relying on NAT... ;-)
Valid point. But nevertheless, I find it quite interesting why such entries could be created. My google-foo didn't give any possible explanation and 7201 box is EOL, so no TAC support.

NAT configuration of this boxes looks like this:

ip nat pool test-nat 172.16.100.10 172.16.100.10 prefix-length 24

ip nat inside source route-map test-nat-map pool test-nat overload

route-map test-nat-map permit 10
  match ip address test-nat-acl

ip access-list extended test-nat-acl
  deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255
  permit ip 192.168.20.0 0.0.0.255 any

May be someone had an experience regarding under what conditions could "extendable, incomplete" 
entries be created?

Thanks

>
> But without seeing the actual configuration of the routers, it is just 
> a bit hard to comment where the "extensible" part is coming from - it 
> could just be configured that way.


>
> gert
>

--
Regards, Sergey
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list