[cisco-bba] Leakage with NAT Access list

Imad Buhidma imad at lttnet.net
Sat Oct 1 15:50:07 EDT 2005


Hello

We have Weird problem with NAT on CISCO 7200 router, There's  leakage with NAT access list, The nat translation table shows some denied ip addresses can do successful nat . 

The output of "show ip nat translations" command :

Pro   Inside global           Inside local          Outside local         Outside global
icmp  xx.xx.61.2:0          64.0.96.42:0          201.19.11.100:0       201.19.11.100:0
icmp  xx.xx.61.2:0          64.0.96.42:0          203.59.89.117:0       203.59.89.117:0
icmp  xx.xx.61.2:0          64.0.96.42:0          204.96.151.138:0      204.96.151.138:0
icmp  xx.xx.61.2:0          64.0.96.42:0          213.10.113.206:0      213.10.113.206:0
tcp   xx.xx.61.2:113        64.0.96.42:113        134.181.128.1:33639   134.181.128.1:33639
tcp   xx.xx.61.2:113        64.0.96.42:113        209.139.92.14:64944   209.139.92.14:64944
tcp   xx.xx.61.2:139        64.0.96.42:139        xx.xx.185.108:4865    xx.xx.185.108:4865
tcp   xx.xx.61.2:445        64.0.96.42:445        xx.xx.191.202:2823    xx.xx.191.202:2823
udp   xx.xx.61.2:1032       64.0.96.42:1032       64.4.12.201:7001      64.4.12.201:7001
tcp   xx.xx.61.8:135        64.132.47.202:135     xx.xx.186.156:1530    xx.xx.186.156:1530
tcp   xx.xx.61.8:445        64.132.47.202:445     xx.xx.52.12:3102      xx.xx.52.12:3102
udp   xx.xx.61.7:1434       217.139.226.243:1434  222.174.115.18:1032   222.174.115.18:1032
tcp   xx.xx.61.7:3128       217.139.226.243:3128  59.188.4.140:60257    59.188.4.140:60257
tcp   xx.xx.61.2:1100       172.16.16.216:1902    69.90.63.96:80        69.90.63.96:80
tcp   xx.xx.61.2:1174       172.16.16.216:1903    67.15.14.45:80        67.15.14.45:80
udp   xx.xx.61.2:1904       172.16.16.216:1904    xx.xx.42.2:53         xx.xx.42.2:53
udp   xx.xx.61.2:1905       172.16.16.216:1905    xx.xx.42.2:53         xx.xx.42.2:53
tcp   xx.xx.61.2:2464       172.16.16.205:2464    204.127.202.26:25     204.127.202.26:25
tcp   xx.xx.61.2:2465       172.16.16.205:2465    66.148.71.105:8712    66.148.71.105:8712

We permit only 172.16.0.0/16 network but we have other ip addresses in nat translations like  64.0.96.42 , 64.132.47.202 and 217.139.226.243

Here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3


aaa new-model
!
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa session-id unique
ip subnet-zero
!
bba-group pppoe PRIVATE_IP
virtual-template 1
!
interface GigabitEthernet0/1
bandwidth 100000
ip address x.x.x.x x.x.x.x
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
no keepalive
no cdp enable
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.1 multipoint
range pvc 10/35 10/135
  protocol pppoe group PRIVATE_IP
!
range pvc 12/35 12/135
  protocol pppoe group PRIVATE_IP
!
range pvc 13/35 13/135
  protocol pppoe group PRIVATE_IP
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
ip access-group 112 in
ip mtu 1492
ip nat inside
ip virtual-reassembly
peer ip address forced
peer default ip address pool PRIVATE_IP_POOL
ppp authentication pap chap
!
ip local pool PRIVATE_IP_POOL 172.16.0.1 172.16.255.254
!
ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask 255.255.255.0
ip nat inside source list 111 pool NAT_POOL overload
!
access-list 111 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 deny   ip any any
access-list 112 deny   ip any 192.168.0.0 0.0.255.255
access-list 112 deny   ip any 172.16.0.0 0.15.255.255
access-list 112 deny   ip any 10.0.0.0 0.255.255.255
access-list 112 permit ip 172.16.0.0 0.0.255.255 any
access-list 112 deny   ip any any


Can anyone explain what's happening?

 


 
                   


More information about the cisco-bba mailing list