Sorting NAT Statements... producing useless diffs...

Roderick B. Greening Roderick.Greening at gt.ca
Sat Jun 11 17:12:29 UTC 2005


Here's how my router see's NAT:

ubr900(config)#ip nat ?
  Stateful     Stateful NAT configuration commands
  inside       Inside address translation
  log          NAT Logging
  outside      Outside address translation
  pool         Define pool of addresses
  service      Special translation for application using non-standard port
  translation  NAT translation entry configuration
 
ubr900(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

ubr900(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

ubr900(config)#ip nat inside source static ?
  A.B.C.D  Inside local IP address
  esp      IPSec-ESP (Tunnel mode) support
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

ubr900(config)#ip nat inside source static tcp ?
  A.B.C.D  Inside local IP address

ubr900(config)#ip nat inside source static tcp 1.1.1.1 ?
  <1-65535>  Local UDP/TCP port

ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ?
  A.B.C.D    Inside global IP address
  interface  Specify interface for global address

The 3rd field can be (inside|outside)
The 4th field can be (source|destination) *note: for outside translation,
only source if available
The 5th field can be (list|route-map|static)

At this point, we probably need to be able to split list|route-map|static
off.

List and route-map are basically the same, and have all the same options:

ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool
(\S+)

For static translations, we have the following:

ip nat (inside|outside) (source|destination) static
(tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) 

If it's (tcp|udp|esp) then you have an IP address and port number followed
by either another IP address and port number or the keyword interface
replaces the second IP address.

Is this enough detail?

Thanks.


-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Friday, June 10, 2005 9:20 PM
To: Roderick B. Greening
Cc: 'rancid-discuss at shrubbery.net'
Subject: Re: Sorting NAT Statements... producing useless diffs...

sigh, I dont have a pix, but from the manual, I think rancid's match is
deficient.

        /^ip nat (\S+) source static (\S+)/ &&

doesn't handle a protocol field (udp|tcp) as the 6th field.

        /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ &&
            ProcessHistory("IP NAT $1","ipsort","$4","$_") && next;

the IP match probably ought be more specific too,

        /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ &&

What options are available for the 6th field?

Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening:
> Hi,
> 
> I keep getting uninteresting diffs like the following:
> 
> retrieving revision 1.10
> diff -U4 -r1.10 <FILENAME REMOVED>
> @@ -101,11 +101,11 @@
>    no keepalive
> !   
>   ip default-gateway <IP REMOVED>
> + ip nat inside source route-map nonat interface cable-modem0 overload
>   ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0
> 5632
>   ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0
> 5631
> - ip nat inside source route-map nonat interface cable-modem0 overload
>   ip classless
>   no ip http server
>   no ip http secure-server
>   no ip http cable-monitor
>  
> It appears that the sort routine for NAT needs some augmentation to order
> non-static entries as well to try and forces these to appear either before
> or after the static ones. Any thoughts?
> 
> There are two main types of entry I use for overloading:
> 
> ip nat inside source list 1 interface cable-modem0 overload
> 
> 	and
> 
> ip nat inside source route-map nonat interface cable-modem0 overload
> 
> The important (non-changing) bits are the "overload" and the "list" vs
> "route-map".
> 
> I'd like to augment the NAT/sort/ProcessHistory to force overloaded
> statements to appear at the top of the NAT history.
> 
> Also, I've noticed that I receive the following diff's regularly:
> 
> retrieving revision 1.3
> diff -U4 -r1.3 <FILENAME REMOVED>
> @@ -76,12 +76,12 @@
>    no cable-modem compliant bridge
>   !
>   ip default-gateway <IP REMOVED>
>   ip nat inside source list 1 interface cable-modem0 overload
> - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> 5632
>   ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0
> 5631
> - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> 5631
> + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> 5632
>   ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0
> 5632
> + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> 5631
>   ip classless
>   no ip http server
>   !
>   logging trap notifications
> 
> Notice that no actual config changes have occured. The NAT sort routine
only
> sorts on IP with no consideration to the same IP having multiple ports
being
> translated. It should also sort on port (at least in my case I'd like
this).
> 
> Has anyone provided (or can provide) a way to augment the NAT sorting
rules?
> I'd like to reduce the amount of diff mails I receive, as I currenly have
a
> few hundred of these out in the field and I constantly get diffs with no
> real changes.
> 
> Thank in advance,
> 
> Rod.
> 
> 
> Roderick B. Greening, B.Sc.
> Manager, Provisioning & Technical Support
> Atlantic Region
> group telecom, a Bell Canada Company
> 541 Kenmount Rd.
> St. John's, NF
> (709) 757-1328 (Office)
> (709) 685-3681 (Mobile)
> (709) 757-1201 (Fax)
> rgreening at gt.ca
> 
> 
> 



More information about the Rancid-discuss mailing list