[nsp] what does cisco NAT do with errant packets?

Mark Kent mark at noc.mainstreet.net
Wed Jan 22 10:34:40 EST 2003 

I'm seeing some weird behavior with a NAT'ed customer 
on the far end of a T1 (cisco both ends).  Here is my conclusion:

It looks like traffic destined for the NAT ip address that does not
correspond to an entry in the NAT translation table gets routed back out
(likely following the default route).

That is, suppose A.B.C.D is in the NAT pool and a packet comes in 
destined for A.B.C.D tcp port X, but there is no translation entry
for A.B.C.D tcp port X and no map, etc.   Then, that packet is routed
out the default route on the router.

Can anyone verify that this is what cisco NAT does in this scenario?
And, if so, does this seem like a reasonable strategy?
I think this could lead to an unimaginative denial of service attack 
since each packet would zip around the T1 end-points until the TTL expires. 

Comments?

Thanks,
-mark

P.S.  This is how I arrived at my conclusion:

On my side, I have an access list like this:

 access-list 2011 permit ip customer.IP.range any

and, just to see if this customer was spewing anything other
than packets sourced from his net, I added

 access-list 2011 deny   ip any any log

applied like this

 in serialWhatEver
    ip access-group 2011 in

Then I started to see log entries like this:

%SEC-6-IPACCESSLOGP: list 2011 denied udp srcIP1(2561) -> A.B.C.D(53), 2 packets
%SEC-6-IPACCESSLOGDP: list 2011 denied icmp srcIP2 -> A.B.C.D (8/0), 3 packets
%SEC-6-IPACCESSLOGP: list 2011 denied tcp srcIP3(80) -> A.B.C.D(10510), 1 packet

where A.B.C.D is an IP address used by the customer and
srcIP* are IP addresses out on the global Internet.

That is, I saw packets coming from the customer with a destination
IP address on the customer net.  

Seemed pretty weird to me, so I added this at the top of the access-list:

access-list 2011 permit tcp any rang 0 65535 host A.B.C.D rang 0 65535 log
access-list 2011 permit udp any rang 0 65535 host A.B.C.D rang 0 65535 log
access-list 2011 permit icmp any host A.B.C.D log
access-list 2011 permit ip any host A.B.C.D log

and I see all sorts of traffic:

%SEC-6-IPACCESSLOGP: list 2011 permitted tcp srcIP4(54328) -> A.B.C.D(113), 1 packet
%SEC-6-IPACCESSLOGP: list 2011 permitted tcp srcIP5(80) -> A.B.C.D(4729), 1 packet
%SEC-6-IPACCESSLOGP: list 2011 permitted udp srcIP6(53) -> A.B.C.D(1728), 1 packet

Now the port 113 (auth) told me that this might be explained by
"uninvited" traffic to a NAT'ed IP address (A.B.C.D).  So, I do a
little test with "telnet A.B.C.D" and it gets logged:

%SEC-6-IPACCESSLOGP: list 2011 permitted tcp myIPaddr(51425) -> A.B.C.D(23), 1 packet

Hence, my above conclusion.

More information about the cisco-nsp mailing list