Unexpected Behaviour of Dynamic NAT with Non-Pattable Traffic

Available Languages

Download Options

  • PDF     (5.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (67.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (67.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 26, 2018
Document ID:212922

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the unexpected behaviour of dynamic Network Address Translation (NAT) with Non-Pattable traffic on IOS® devices.

    Problem

    Non-Pattable traffic creates half-entries in NAT translations table in case of dynamic NAT. These entries pose as a security risk since they work for outside-to-inside traffic.

    NAT Configuration:

    ip nat pool ATT_FIBER 10.10.10.1 10.10.10.6 netmask  255.255.255.248
    ip nat inside source list GUEST_SUBNET pool ATT_FIBER overload
    ip nat inside source list OFFICE_SUBNETS pool ATT_FIBER overload

    ip access-list extended OFFICE_SUBNETS
     deny   ip 172.16.26.0 0.0.0.127 any
     permit ip 172.16.8.0 0.0.1.255 any

    ip access-list extended GUEST_SUBNET
     permit ip 172.16.26.0 0.0.0.127 any

    udp 10.10.10.1:49370    172.16.9.9:49370      192.168.1.1:53      192.168.1.1:53
    udp 10.10.10.1:49535    172.16.9.9:49535      192.168.2.2:53    192.168.2.2:53
    tcp 10.10.10.1:53133    172.16.9.9:53133      192.168.3.3:80     192.168.3.3:80
    tcp 10.10.10.1:56311    172.16.9.9:56311      192.168.4.4:5816    192.168.4.4:5816
    --- 10.10.10.1         172.16.9.9            ---                   ---

    Half entries are created in certain cases where there is a mapping of inside -> outside or when packet is initiated from inside -> outside.

    When the router is configured for NAT overload (Port Addess Translation (PAT)) and non-pattable traffic hits the router, non-pattable bind entries get created for this traffic. It leads to this kind of entry in the NAT table:


    --- 10.10.10.1        172.16.9.9            ---                   ---


    This bind entry consumes an entire address from the pool. In this example, 10.10.10.1 is an address from an overloaded pool.

    That means an inside local IP Address gets bound to the outside global IP which is similar to static NAT. Because of this, until the current entry gets timed out, new inside local IP Addresses cannot use this global IP Address. All the translation created for this bind is 1-to-1 translations instead of overload.

    Solution

    In order to solve this issue, you can use route-maps with dynamic NAT.  With route-maps, NAT won't create half-entries or use interface overload instead of pool overload. Non-pattable bindings are not created in case of interface overload.

    TAC Authored

    Contributed by Cisco Engineers

    • Komal Agrawal
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products