[c-nsp] FW: Static PAT problem

Wed Mar 23 01:53:41 EST 2005

I am running Version 12.3(11)T2 on my soho91. How about this.

Do a "clear access-list counters 101"

And then try a telnet session to port 81 and see if you see a match on
the access list using "sh access-list 101" If the packet is making it
to the interface, it WILL show up on the access-list.

If not, I am starting to run out of ideas!

On Tue, 22 Mar 2005 20:51:54 -0500, Andrew Herdman <andrew at whine.com> wrote:
> Yes, I have both;
> 
> ip inspect name DEFAULT100 cuseeme
> ip inspect name DEFAULT100 ftp
> ip inspect name DEFAULT100 h323
> ip inspect name DEFAULT100 netshow
> ip inspect name DEFAULT100 rcmd
> ip inspect name DEFAULT100 realaudio
> ip inspect name DEFAULT100 rtsp
> ip inspect name DEFAULT100 smtp
> ip inspect name DEFAULT100 sqlnet
> ip inspect name DEFAULT100 streamworks
> ip inspect name DEFAULT100 tftp
> ip inspect name DEFAULT100 tcp
> ip inspect name DEFAULT100 udp timeout 900
> ip inspect name DEFAULT100 vdolive
> ip inspect name DEFAULT100 icmp
> ip inspect name DEFAULT100 fragment maximum 256 timeout 1
> ip inspect name DEFAULT100 sip
> ip inspect name DEFAULT100 skinny
> 
> access-list 101 permit udp host 128.138.140.44 any eq ntp
> access-list 101 permit udp host 129.119.3.2 any eq ntp
> access-list 101 permit udp host x.x.x.147 any eq 10000
> access-list 101 permit udp host x.x.x.147 any eq non500-isakmp
> access-list 101 permit udp host x.x.x.147 any eq isakmp
> access-list 101 permit esp host x.x.x.147 any
> access-list 101 permit ahp host x.x.x.147 any
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 permit icmp any host x.x.x.x.254 echo
> access-list 101 permit udp any eq 5060 any
> access-list 101 permit tcp any any eq 22
> access-list 101 permit udp x.x.x.0 0.0.0.255 any eq snmp
> access-list 101 permit tcp any any eq 3389
> access-list 101 permit tcp any any eq 81
> access-list 101 deny   ip any any
> 
> Thanks
>   Andrew
> 
> 
> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Tuesday, March 22, 2005 5:22 PM
> To: Andrew Herdman
> Cc: 'Gert Doering'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] FW: Static PAT problem
> 
> Hi,
> 
> On Tue, Mar 22, 2005 at 03:41:28PM -0500, Andrew Herdman wrote:
> > I performed a small shell script to test and get some debug info from the
> > router, so running "while true; do telnet x.x.x.254 81; done" and "debug
> ip
> > nat detail" running.  I noticed that the only nat going on during this
> > entire time was my SSH session to the server doing the poking of port 81.
> > Not once did the log show a NAT attempt or anything for port 81...  Hope
> > this tweaks some ideas.
> 
> Weird.  Any ACLs or firewall inspect features on the "outside" interface?
> 
> (I've forgotten the start of the thread, so please excuse me if that was
> already included)
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> 
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>