Sorting NAT Statements... producing useless diffs...

'john heasley' heas at shrubbery.net
Sat Jun 11 21:52:19 UTC 2005 

Is there any significance to the order of (list|route-map|static) or
(ip|esp|network|tcp|udp)?

Sat, Jun 11, 2005 at 10:12:29AM -0700, Roderick B. Greening:
> Here's how my router see's NAT:
> 
> ubr900(config)#ip nat ?
>   Stateful     Stateful NAT configuration commands
>   inside       Inside address translation
>   log          NAT Logging
>   outside      Outside address translation
>   pool         Define pool of addresses
>   service      Special translation for application using non-standard port
>   translation  NAT translation entry configuration
>  
> ubr900(config)#ip nat inside ?
>   destination  Destination address translation
>   source       Source address translation
> 
> ubr900(config)#ip nat inside source ?
>   list       Specify access list describing local addresses
>   route-map  Specify route-map
>   static     Specify static local->global mapping
> 
> ubr900(config)#ip nat inside source static ?
>   A.B.C.D  Inside local IP address
>   esp      IPSec-ESP (Tunnel mode) support
>   network  Subnet translation
>   tcp      Transmission Control Protocol
>   udp      User Datagram Protocol
> 
> ubr900(config)#ip nat inside source static tcp ?
>   A.B.C.D  Inside local IP address
> 
> ubr900(config)#ip nat inside source static tcp 1.1.1.1 ?
>   <1-65535>  Local UDP/TCP port
> 
> ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ?
>   A.B.C.D    Inside global IP address
>   interface  Specify interface for global address
> 
> The 3rd field can be (inside|outside)
> The 4th field can be (source|destination) *note: for outside translation,
> only source if available
> The 5th field can be (list|route-map|static)
> 
> At this point, we probably need to be able to split list|route-map|static
> off.
> 
> List and route-map are basically the same, and have all the same options:
> 
> ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool
> (\S+)
> 
> For static translations, we have the following:
> 
> ip nat (inside|outside) (source|destination) static
> (tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+) 
> 
> If it's (tcp|udp|esp) then you have an IP address and port number followed
> by either another IP address and port number or the keyword interface
> replaces the second IP address.
> 
> Is this enough detail?
> 
> Thanks.
> 
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Friday, June 10, 2005 9:20 PM
> To: Roderick B. Greening
> Cc: 'rancid-discuss at shrubbery.net'
> Subject: Re: Sorting NAT Statements... producing useless diffs...
> 
> sigh, I dont have a pix, but from the manual, I think rancid's match is
> deficient.
> 
>         /^ip nat (\S+) source static (\S+)/ &&
> 
> doesn't handle a protocol field (udp|tcp) as the 6th field.
> 
>         /^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ &&
>             ProcessHistory("IP NAT $1","ipsort","$4","$_") && next;
> 
> the IP match probably ought be more specific too,
> 
>         /^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ &&
> 
> What options are available for the 6th field?
> 
> Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening:
> > Hi,
> > 
> > I keep getting uninteresting diffs like the following:
> > 
> > retrieving revision 1.10
> > diff -U4 -r1.10 <FILENAME REMOVED>
> > @@ -101,11 +101,11 @@
> >    no keepalive
> > !   
> >   ip default-gateway <IP REMOVED>
> > + ip nat inside source route-map nonat interface cable-modem0 overload
> >   ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0
> > 5632
> >   ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0
> > 5631
> > - ip nat inside source route-map nonat interface cable-modem0 overload
> >   ip classless
> >   no ip http server
> >   no ip http secure-server
> >   no ip http cable-monitor
> >  
> > It appears that the sort routine for NAT needs some augmentation to order
> > non-static entries as well to try and forces these to appear either before
> > or after the static ones. Any thoughts?
> > 
> > There are two main types of entry I use for overloading:
> > 
> > ip nat inside source list 1 interface cable-modem0 overload
> > 
> > 	and
> > 
> > ip nat inside source route-map nonat interface cable-modem0 overload
> > 
> > The important (non-changing) bits are the "overload" and the "list" vs
> > "route-map".
> > 
> > I'd like to augment the NAT/sort/ProcessHistory to force overloaded
> > statements to appear at the top of the NAT history.
> > 
> > Also, I've noticed that I receive the following diff's regularly:
> > 
> > retrieving revision 1.3
> > diff -U4 -r1.3 <FILENAME REMOVED>
> > @@ -76,12 +76,12 @@
> >    no cable-modem compliant bridge
> >   !
> >   ip default-gateway <IP REMOVED>
> >   ip nat inside source list 1 interface cable-modem0 overload
> > - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> > 5632
> >   ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0
> > 5631
> > - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> > 5631
> > + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> > 5632
> >   ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0
> > 5632
> > + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> > 5631
> >   ip classless
> >   no ip http server
> >   !
> >   logging trap notifications
> > 
> > Notice that no actual config changes have occured. The NAT sort routine
> only
> > sorts on IP with no consideration to the same IP having multiple ports
> being
> > translated. It should also sort on port (at least in my case I'd like
> this).
> > 
> > Has anyone provided (or can provide) a way to augment the NAT sorting
> rules?
> > I'd like to reduce the amount of diff mails I receive, as I currenly have
> a
> > few hundred of these out in the field and I constantly get diffs with no
> > real changes.
> > 
> > Thank in advance,
> > 
> > Rod.
> > 
> > 
> > Roderick B. Greening, B.Sc.
> > Manager, Provisioning & Technical Support
> > Atlantic Region
> > group telecom, a Bell Canada Company
> > 541 Kenmount Rd.
> > St. John's, NF
> > (709) 757-1328 (Office)
> > (709) 685-3681 (Mobile)
> > (709) 757-1201 (Fax)
> > rgreening at gt.ca
> > 
> > 
> >

More information about the Rancid-discuss mailing list