[c-nsp] "extendable, incomplete" NAT entries
oldnick
oldnick.nsp at gmail.com
Tue Oct 13 14:36:02 EDT 2015
Thank you, Nick. Problem is, there is no static entries on this boxes:
Router#show running-config all | i static|extendable
Router#
And if I am not wrong, this entries are dynamic: have "use", "timeout" and "left" fields.
On 10/13/2015 09:31 PM, Nick Cutting wrote:
> And in new versions of IOS - it adds it to the config, whether you added the keyword it or not:
>
> On a CSR 15.5 (INE LAB):
>
> R5#sh run | s nat
> ip nat outside
> ip nat inside
> ip nat inside source static tcp 155.1.8.8 80 202.221.217.114 80 extendable
> ip nat inside source static 155.1.10.10 202.221.217.114
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Cutting
> Sent: 13 October 2015 19:28
> To: oldnick; cisco-nsp at puck.nether.net
> Cc: Gert Doering
> Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
>
> Extendable usually means that there is a static 1-to1 nat AND a port nat on the same entry, not sure about incomplete though - you must be confusing the router
>
> "The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address."
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of oldnick
> Sent: 13 October 2015 19:22
> To: cisco-nsp at puck.nether.net
> Cc: Gert Doering
> Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
>
>
>
> On 10/13/2015 05:51 PM, Gert Doering wrote:
>> Hi,
>>
>> On Tue, Oct 13, 2015 at 05:40:08PM +0300, oldnick wrote:
>>> Main problem is that with such entries present in the NAT table,
>>> inside host is reachable from the outside by global address, and this is obvious security flaw.
>>
>> Your *problem* is a funny security architecture, relying on NAT... ;-)
> Valid point. But nevertheless, I find it quite interesting why such entries could be created. My google-foo didn't give any possible explanation and 7201 box is EOL, so no TAC support.
>
> NAT configuration of this boxes looks like this:
>
> ip nat pool test-nat 172.16.100.10 172.16.100.10 prefix-length 24
>
> ip nat inside source route-map test-nat-map pool test-nat overload
>
> route-map test-nat-map permit 10
> match ip address test-nat-acl
>
> ip access-list extended test-nat-acl
> deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255
> permit ip 192.168.20.0 0.0.0.255 any
>
> May be someone had an experience regarding under what conditions could "extendable, incomplete"
> entries be created?
>
> Thanks
>
>>
>> But without seeing the actual configuration of the routers, it is just
>> a bit hard to comment where the "extensible" part is coming from - it
>> could just be configured that way.
>
>
>>
>> gert
>>
>
> --
> Regards, Sergey
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list