[c-nsp] "extendable, incomplete" NAT entries

Nick Cutting ncutting at edgetg.co.uk
Tue Oct 13 15:48:38 EDT 2015 

And no pools over lapping, even for dynamic / overload ?

I don't think the extendable keyword turned up in the running config, until more recent versions - but probably shows up in your show commands.

Check for "duplicate anything" in you sh ip nat translations/statistics

-----Original Message-----
From: oldnick [mailto:oldnick.nsp at gmail.com] 
Sent: 13 October 2015 19:36
To: Nick Cutting; cisco-nsp at puck.nether.net
Cc: Gert Doering
Subject: Re: [c-nsp] "extendable, incomplete" NAT entries

Thank you, Nick. Problem is, there is no static entries on this boxes:

Router#show running-config all | i static|extendable Router#

And if I am not wrong, this entries are dynamic: have "use", "timeout" and "left" fields.

On 10/13/2015 09:31 PM, Nick Cutting wrote:
> And in new versions of IOS - it adds it to the config, whether you added the keyword it or not:
>
> On a CSR 15.5 (INE LAB):
>
> R5#sh run | s nat
>   ip nat outside
>   ip nat inside
> ip nat inside source static tcp 155.1.8.8 80 202.221.217.114 80 
> extendable ip nat inside source static 155.1.10.10 202.221.217.114
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
> Of Nick Cutting
> Sent: 13 October 2015 19:28
> To: oldnick; cisco-nsp at puck.nether.net
> Cc: Gert Doering
> Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
>
> Extendable usually means that there is a static 1-to1 nat AND a port 
> nat on the same entry, not sure about incomplete though - you must be 
> confusing the router
>
> "The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address."
>
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
> Of oldnick
> Sent: 13 October 2015 19:22
> To: cisco-nsp at puck.nether.net
> Cc: Gert Doering
> Subject: Re: [c-nsp] "extendable, incomplete" NAT entries
>
>
>
> On 10/13/2015 05:51 PM, Gert Doering wrote:
>> Hi,
>>
>> On Tue, Oct 13, 2015 at 05:40:08PM +0300, oldnick wrote:
>>> Main problem is that with such entries present in the NAT table, 
>>> inside host is reachable from the outside by global address, and this is obvious security flaw.
>>
>> Your *problem* is a funny security architecture, relying on NAT... 
>> ;-)
> Valid point. But nevertheless, I find it quite interesting why such entries could be created. My google-foo didn't give any possible explanation and 7201 box is EOL, so no TAC support.
>
> NAT configuration of this boxes looks like this:
>
> ip nat pool test-nat 172.16.100.10 172.16.100.10 prefix-length 24
>
> ip nat inside source route-map test-nat-map pool test-nat overload
>
> route-map test-nat-map permit 10
>    match ip address test-nat-acl
>
> ip access-list extended test-nat-acl
>    deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.0.0.255
>    permit ip 192.168.20.0 0.0.0.255 any
>
> May be someone had an experience regarding under what conditions could "extendable, incomplete"
> entries be created?
>
> Thanks
>
>>
>> But without seeing the actual configuration of the routers, it is 
>> just a bit hard to comment where the "extensible" part is coming from 
>> - it could just be configured that way.
>
>
>>
>> gert
>>
>
> --
> Regards, Sergey
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list