cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3591
Views
10
Helpful
3
Replies

NAT Command Line

Tariqemad
Level 1
Level 1

Hi all, 

Kindly, any one can advice me about the purposes for the below command line in ASR1002.. Thanks in advance 

ip nat settings nonpatdrop

 

Spoiler
 

 

3 Replies 3

lespejel
Level 3
Level 3

it looks like a legacy command for Carrier Grade NAT not present in the documentation, but it should enable a particular NAT mode.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-cgn.html

 

 

CCIE 52804

this command drops all packets which can not be Port Address Translated (non pattable trafffic). PAT can only be performed
on protocols where the ports are known : UDP, TCP, ICMP

 

If the router receives a non pattable packet, a static translation entry is created (1:1) and therefore a pool exhaustion is likely. Either make sure that only the above mentioned protocols hit the router or enable this command to avoid pool exhaustion. The documentation explains that pretty well:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-9/nat-xe-16-9-book.pdf

 

Andre

Jerome BERTHIER
Level 1
Level 1

Hello

When non pattable traffic (not ICMP, TCP or UDP) pass the gateway, it creates a reverse path to the inside host by installing a static entry in the NAT table. It can be seen as a backdoor because traffic can go outside to inside through this translation.This is a known issue :

https://www.cisco.com/c/en/us/support/docs/security/ios-network-address-translation-nat/212922-unexpected-behaviour-of-dynamic-nat-with.html

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-16-12/nat-xe-16-12-book/iadnat-addr-consv.html#reference_255FB71880424C21A193DF9BC9B2F957

 

The command "ip nat settings nonpatdrop" has been introduced in IOS 15.5(3)S4 (IOS-XE 3.16.4S) to fix this issue :

See bug CSCvd85915

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd85915/?referring_site=ss&dtid=osscdc000283

 

Regards