[cisco-bba] Leakage with NAT Access list

Imad Buhidma imad at lttnet.net
Sat Oct 1 15:50:07 EDT 2005


We have Weird problem with NAT on CISCO 7200 router, There's  leakage with NAT access list, The nat translation table shows some denied ip addresses can do successful nat . 

The output of "show ip nat translations" command :

Pro   Inside global           Inside local          Outside local         Outside global
icmp  xx.xx.61.2:0
icmp  xx.xx.61.2:0
icmp  xx.xx.61.2:0
icmp  xx.xx.61.2:0
tcp   xx.xx.61.2:113
tcp   xx.xx.61.2:113
tcp   xx.xx.61.2:139        xx.xx.185.108:4865    xx.xx.185.108:4865
tcp   xx.xx.61.2:445        xx.xx.191.202:2823    xx.xx.191.202:2823
udp   xx.xx.61.2:1032
tcp   xx.xx.61.8:135     xx.xx.186.156:1530    xx.xx.186.156:1530
tcp   xx.xx.61.8:445     xx.xx.52.12:3102      xx.xx.52.12:3102
udp   xx.xx.61.7:1434
tcp   xx.xx.61.7:3128
tcp   xx.xx.61.2:1100
tcp   xx.xx.61.2:1174
udp   xx.xx.61.2:1904    xx.xx.42.2:53         xx.xx.42.2:53
udp   xx.xx.61.2:1905    xx.xx.42.2:53         xx.xx.42.2:53
tcp   xx.xx.61.2:2464
tcp   xx.xx.61.2:2465

We permit only network but we have other ip addresses in nat translations like , and

Here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3

aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa session-id unique
ip subnet-zero
bba-group pppoe PRIVATE_IP
virtual-template 1
interface GigabitEthernet0/1
bandwidth 100000
ip address x.x.x.x x.x.x.x
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
no keepalive
no cdp enable
interface ATM1/0
no ip address
no atm ilmi-keepalive
interface ATM1/0.1 multipoint
range pvc 10/35 10/135
  protocol pppoe group PRIVATE_IP
range pvc 12/35 12/135
  protocol pppoe group PRIVATE_IP
range pvc 13/35 13/135
  protocol pppoe group PRIVATE_IP
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
ip access-group 112 in
ip mtu 1492
ip nat inside
ip virtual-reassembly
peer ip address forced
peer default ip address pool PRIVATE_IP_POOL
ppp authentication pap chap
ip local pool PRIVATE_IP_POOL
ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask
ip nat inside source list 111 pool NAT_POOL overload
access-list 111 permit ip any
access-list 111 deny   ip any any
access-list 112 deny   ip any
access-list 112 deny   ip any
access-list 112 deny   ip any
access-list 112 permit ip any
access-list 112 deny   ip any any

Can anyone explain what's happening?



More information about the cisco-bba mailing list