I have observed a new behavior of NAT in 12.4.10b; for packets coming infrom outside to inside and if a dynamic NAT entry exists in the nat translation table for the destination address (inside local) of packets coming into the router from outside, the communication does not work. If there is no NAT entry in the NAT translation table, the communication from outside to inside works fine.
Here is sample config;
Router with NAT configured
ip nat inside
ip address 10.1.12.2 255.255.255.0
ip nat outside
ip address 10.1.23.2 255.255.255.0
ip nat pool test 126.96.36.199 188.8.131.52 netmask 255.255.255.0
ip nat inside list 101 pool test
ip access-list 101 permit ip host 184.108.40.206 host 220.127.116.11
ip route 18.104.22.168 255.255.255.255 10.1.23.3
ip route 22.214.171.124 255.255.255.255 10.1.12.1
ip route 0.0.0.0 0.0.0.0 10.1.23.3
(Outside world is aware of 126.96.36.199 ip address that outside world is aware of inside local ip address as well)
- 188.8.131.52 can connect to 184.108.40.206 without any problem and NAT inside to outside happens fine and translates 220.127.116.11 to 18.104.22.168
-Above connectivity create NAT table entries
-With the presence of NAT table entries in NAT Cache, if some other IP address from outside tries to connect to the inside local iP address 22.214.171.124, the communication does not work and I see that NAT is kicking in and translation 126.96.36.199 to 188.8.131.52; I do not understand as why this is happening because the configuration of NAT and access list 101 are not applicable to the session initiated from outside to inside.
Further I simulated the similar scenario using 12.2 IOS and no issues at all. Outsider are able to talk to talk to inside local ip without any problem.
Does anyone knows if this is a new NAT beahivor after 12.2 or does this sounds like a BUG