12-13-2007 08:34 PM - edited 03-03-2019 07:56 PM
Hi...
I have not used NAT on Cisco routers for a while (last time was on IOS 12.1), and I noticed that the command above (ip virtual-reassembly) is enabled by default when NAT is configured on an interface (starting from 12.3 something).
My question is: is it safe to remove this command from NAT-enabled interface? Reason being, we believe that this command is the root cause of several weird issues we've been experiencing. One of which was on ISDN BRI S/T interface. It appeared that any packets less than 500 bytes in size are dropped when this command is enabled.
12-13-2007 08:58 PM
This link explains what it does:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_i2h.htm#wp1147733
12-13-2007 09:02 PM
Edison,
Thank you for your prompt reply. I have read that document before. It still does not say if the command can safely be removed from a NAT-enabled interface.
12-13-2007 09:07 PM
It's not best practice to disable it but if you think that's the root of the problem, test it and see if it does.
I haven't seen anyone claiming that command creates a problem in their network connectivity.
12-13-2007 09:15 PM
OK. So, are you saying that removing the command will not stop NAT operation? Based on what I've read, this command appears to be a "safety measure" against some attacks, and that it does not really actively participate in NAT-ing operation. Can you confirm this?
Thanks.
12-13-2007 09:20 PM
Confirmed.
12-13-2007 09:23 PM
Thank you. That's all I wanna know. :)
Although this command may not cause issues in your experience, specifically on our customer's network, we've seen evidence that this may cause some problems. May not be the command, per se. Could be IOS bug.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: