[cisco-bba] Weird NAT problem

Imad Buhidma imad at lttnet.net
Wed Sep 28 16:54:50 EDT 2005


Hello

We have Weird problem with NAT on CISCO 7200 router, If we permit only one subnet for NAT and deny all others, the filtering is not working and any IP can do NATing
you can see this clearly from "show ip nat translations"  

Pro   Inside global           Inside local          Outside local         Outside global
icmp  xx.xx.61.2:0          64.0.96.42:0          201.19.11.100:0       201.19.11.100:0
icmp  xx.xx.61.2:0          64.0.96.42:0          203.59.89.117:0       203.59.89.117:0
icmp  xx.xx.61.2:0          64.0.96.42:0          204.96.151.138:0      204.96.151.138:0
icmp  xx.xx.61.2:0          64.0.96.42:0          213.10.113.206:0      213.10.113.206:0
tcp   xx.xx.61.2:113        64.0.96.42:113        134.181.128.1:33639   134.181.128.1:33639
tcp   xx.xx.61.2:113        64.0.96.42:113        209.139.92.14:64944   209.139.92.14:64944
tcp   xx.xx.61.2:139        64.0.96.42:139        xx.xx.185.108:4865    xx.xx.185.108:4865
tcp   xx.xx.61.2:445        64.0.96.42:445        xx.xx.191.202:2823    xx.xx.191.202:2823
udp   xx.xx.61.2:1032       64.0.96.42:1032       64.4.12.201:7001      64.4.12.201:7001
tcp   xx.xx.61.8:135        64.132.47.202:135     xx.xx.186.156:1530    xx.xx.186.156:1530
tcp   xx.xx.61.8:445        64.132.47.202:445     xx.xx.52.12:3102      xx.xx.52.12:3102
udp   xx.xx.61.7:1434       217.139.226.243:1434  222.174.115.18:1032   222.174.115.18:1032
tcp   xx.xx.61.7:3128       217.139.226.243:3128  59.188.4.140:60257    59.188.4.140:60257
tcp   xx.xx.61.2:1100       172.16.16.216:1902    69.90.63.96:80        69.90.63.96:80
tcp   xx.xx.61.2:1174       172.16.16.216:1903    67.15.14.45:80        67.15.14.45:80
udp   xx.xx.61.2:1904       172.16.16.216:1904    xx.xx.42.2:53         xx.xx.42.2:53
udp   xx.xx.61.2:1905       172.16.16.216:1905    xx.xx.42.2:53         xx.xx.42.2:53
tcp   xx.xx.61.2:2464       172.16.16.205:2464    204.127.202.26:25     204.127.202.26:25
tcp   xx.xx.61.2:2465       172.16.16.205:2465    66.148.71.105:8712    66.148.71.105:8712

We permit only 172.16.0.0/16 network but we have other ip addresses in nat translations like  64.0.96.42 , 64.132.47.202 and 217.139.226.243

here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3


aaa new-model
!
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa session-id unique
ip subnet-zero
!
bba-group pppoe PRIVATE_IP
 virtual-template 1
!
interface GigabitEthernet0/1
 bandwidth 100000
 ip address x.x.x.x x.x.x.x
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
 no keepalive
 no cdp enable
!
interface ATM1/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM1/0.1 multipoint
 range pvc 10/35 10/135
  protocol pppoe group PRIVATE_IP
 !
 range pvc 12/35 12/135
  protocol pppoe group PRIVATE_IP
 !
 range pvc 13/35 13/135
  protocol pppoe group PRIVATE_IP
 !
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/1
 ip access-group 112 in
 ip mtu 1492
 ip nat inside
 ip virtual-reassembly
 peer ip address forced
 peer default ip address pool PRIVATE_IP_POOL
 ppp authentication pap chap
!
ip local pool PRIVATE_IP_POOL 172.16.0.1 172.16.255.254
!
ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask 255.255.255.0
ip nat inside source list 111 pool NAT_POOL overload
!
access-list 111 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 deny   ip any any
access-list 112 deny   ip any 192.168.0.0 0.0.255.255
access-list 112 deny   ip any 172.16.0.0 0.15.255.255
access-list 112 deny   ip any 10.0.0.0 0.255.255.255
access-list 112 permit ip 172.16.0.0 0.0.255.255 any
access-list 112 deny   ip any any 


 
                   


More information about the cisco-bba mailing list