[cisco-bba] Leakage with NAT Access list
Imad Buhidma
imad at lttnet.net
Sat Oct 1 15:50:07 EDT 2005
Hello
We have Weird problem with NAT on CISCO 7200 router, There's leakage with NAT access list, The nat translation table shows some denied ip addresses can do successful nat .
The output of "show ip nat translations" command :
Pro Inside global Inside local Outside local Outside global
icmp xx.xx.61.2:0 64.0.96.42:0 201.19.11.100:0 201.19.11.100:0
icmp xx.xx.61.2:0 64.0.96.42:0 203.59.89.117:0 203.59.89.117:0
icmp xx.xx.61.2:0 64.0.96.42:0 204.96.151.138:0 204.96.151.138:0
icmp xx.xx.61.2:0 64.0.96.42:0 213.10.113.206:0 213.10.113.206:0
tcp xx.xx.61.2:113 64.0.96.42:113 134.181.128.1:33639 134.181.128.1:33639
tcp xx.xx.61.2:113 64.0.96.42:113 209.139.92.14:64944 209.139.92.14:64944
tcp xx.xx.61.2:139 64.0.96.42:139 xx.xx.185.108:4865 xx.xx.185.108:4865
tcp xx.xx.61.2:445 64.0.96.42:445 xx.xx.191.202:2823 xx.xx.191.202:2823
udp xx.xx.61.2:1032 64.0.96.42:1032 64.4.12.201:7001 64.4.12.201:7001
tcp xx.xx.61.8:135 64.132.47.202:135 xx.xx.186.156:1530 xx.xx.186.156:1530
tcp xx.xx.61.8:445 64.132.47.202:445 xx.xx.52.12:3102 xx.xx.52.12:3102
udp xx.xx.61.7:1434 217.139.226.243:1434 222.174.115.18:1032 222.174.115.18:1032
tcp xx.xx.61.7:3128 217.139.226.243:3128 59.188.4.140:60257 59.188.4.140:60257
tcp xx.xx.61.2:1100 172.16.16.216:1902 69.90.63.96:80 69.90.63.96:80
tcp xx.xx.61.2:1174 172.16.16.216:1903 67.15.14.45:80 67.15.14.45:80
udp xx.xx.61.2:1904 172.16.16.216:1904 xx.xx.42.2:53 xx.xx.42.2:53
udp xx.xx.61.2:1905 172.16.16.216:1905 xx.xx.42.2:53 xx.xx.42.2:53
tcp xx.xx.61.2:2464 172.16.16.205:2464 204.127.202.26:25 204.127.202.26:25
tcp xx.xx.61.2:2465 172.16.16.205:2465 66.148.71.105:8712 66.148.71.105:8712
We permit only 172.16.0.0/16 network but we have other ip addresses in nat translations like 64.0.96.42 , 64.132.47.202 and 217.139.226.243
Here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3
aaa new-model
!
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa session-id unique
ip subnet-zero
!
bba-group pppoe PRIVATE_IP
virtual-template 1
!
interface GigabitEthernet0/1
bandwidth 100000
ip address x.x.x.x x.x.x.x
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type rj45
no negotiation auto
no keepalive
no cdp enable
!
interface ATM1/0
no ip address
no atm ilmi-keepalive
!
interface ATM1/0.1 multipoint
range pvc 10/35 10/135
protocol pppoe group PRIVATE_IP
!
range pvc 12/35 12/135
protocol pppoe group PRIVATE_IP
!
range pvc 13/35 13/135
protocol pppoe group PRIVATE_IP
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
ip access-group 112 in
ip mtu 1492
ip nat inside
ip virtual-reassembly
peer ip address forced
peer default ip address pool PRIVATE_IP_POOL
ppp authentication pap chap
!
ip local pool PRIVATE_IP_POOL 172.16.0.1 172.16.255.254
!
ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask 255.255.255.0
ip nat inside source list 111 pool NAT_POOL overload
!
access-list 111 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip any any
access-list 112 deny ip any 192.168.0.0 0.0.255.255
access-list 112 deny ip any 172.16.0.0 0.15.255.255
access-list 112 deny ip any 10.0.0.0 0.255.255.255
access-list 112 permit ip 172.16.0.0 0.0.255.255 any
access-list 112 deny ip any any
Can anyone explain what's happening?
More information about the cisco-bba
mailing list