08-25-2018 10:17 AM - edited 03-01-2019 03:11 PM
Hi all,
Kindly, any one can advice me about the purposes for the below command line in ASR1002.. Thanks in advance
ip nat settings nonpatdrop
09-13-2018 11:17 AM
it looks like a legacy command for Carrier Grade NAT not present in the documentation, but it should enable a particular NAT mode.
10-27-2019 06:21 AM
this command drops all packets which can not be Port Address Translated (non pattable trafffic). PAT can only be performed
on protocols where the ports are known : UDP, TCP, ICMP
If the router receives a non pattable packet, a static translation entry is created (1:1) and therefore a pool exhaustion is likely. Either make sure that only the above mentioned protocols hit the router or enable this command to avoid pool exhaustion. The documentation explains that pretty well:
Andre
02-20-2020 04:12 AM
Hello
When non pattable traffic (not ICMP, TCP or UDP) pass the gateway, it creates a reverse path to the inside host by installing a static entry in the NAT table. It can be seen as a backdoor because traffic can go outside to inside through this translation.This is a known issue :
The command "ip nat settings nonpatdrop" has been introduced in IOS 15.5(3)S4 (IOS-XE 3.16.4S) to fix this issue :
See bug CSCvd85915
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd85915/?referring_site=ss&dtid=osscdc000283
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide