cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1197
Views
10
Helpful
3
Replies
Highlighted
Beginner

NAT Command Line

Hi all, 

Kindly, any one can advice me about the purposes for the below command line in ASR1002.. Thanks in advance 

ip nat settings nonpatdrop

 

Spoiler
 

 

3 REPLIES 3
Highlighted
Participant

Re: NAT Command Line

it looks like a legacy command for Carrier Grade NAT not present in the documentation, but it should enable a particular NAT mode.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-cgn.html

 

 

CCIE 52804
Everyone's tags (2)
Highlighted
Beginner

Re: NAT Command Line

this command drops all packets which can not be Port Address Translated (non pattable trafffic). PAT can only be performed
on protocols where the ports are known : UDP, TCP, ICMP

 

If the router receives a non pattable packet, a static translation entry is created (1:1) and therefore a pool exhaustion is likely. Either make sure that only the above mentioned protocols hit the router or enable this command to avoid pool exhaustion. The documentation explains that pretty well:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-9/nat-xe-16-9-book.pdf

 

Andre

Highlighted

Re: NAT Command Line

Hello

When non pattable traffic (not ICMP, TCP or UDP) pass the gateway, it creates a reverse path to the inside host by installing a static entry in the NAT table. It can be seen as a backdoor because traffic can go outside to inside through this translation.This is a known issue :

https://www.cisco.com/c/en/us/support/docs/security/ios-network-address-translation-nat/212922-unexpected-behaviour-of-dynamic-nat-with.html

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-12/nat-xe-16-12-book/iadnat-addr-consv.html#reference_255FB71880424C21A193DF9BC9B2F957

 

The command "ip nat settings nonpatdrop" has been introduced in IOS 15.5(3)S4 (IOS-XE 3.16.4S) to fix this issue :

See bug CSCvd85915

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd85915/?referring_site=ss&dtid=osscdc000283

 

Regards

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey