Ivan Pepelnjak wrote:
Obviously the router does NOT check the "ip nat" rules if it gets a match in
the NAT translation table. This behavior makes sense; if you'd change the NAT parameters
of a live session, you'd lose the session anyway.
The problem is that the session stays active. I want the session to be
lost. I believe the rules should be adhered to a bit more strictly.
If the current matching nat statement would result in a different value
for the inside global address, than a new translation should be called for.
It isnt actually all that hard to check for, conceptually.
(What would you expect to happen when the DHCP client address changes on
the egress interface? Or if you change the ip address on an interface
referenced by the ip nat statement?)
Apparently, the end stations dont change the source port for new
attempts. So as far as the router is concerned, unless those voip
handsets are off the network beyond udp session timeout, they will never
reconnect through the new egress.
This behavior has very disruptive end user symptoms.
Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
