[nsp] nat problem

CLAEREBOUDT Elke ECLAEREB at mail.mobistar.be
Mon May 5 14:27:43 EDT 2003 

problem is to connect to 212.224.137.234 on port 80 and 21 when the internal
ip address is 192.168.3.207
if we reconfigure everything with 192.168.3.206 then everything is ok
you can see that even if there's static nat to both ports, the router also
translates the ports , and then the traffic is blocked by the ACL 130
connecting from internal (from the router) is ok, so the service is active

BUG OR ??

IP NAT debugging is on

May  5 09:51:30.489: NAT: s=212.65.32.1, d=212.224.137.234->192.168.3.207
[0]
May  5 09:51:30.493: NAT: TCP s=21->174, d=51714
May  5 09:51:30.493: NAT: s=192.168.3.207->212.224.137.234, d=212.65.32.1
[24677]
May  5 09:51:30.517: %SEC-6-IPACCESSLOGP: list 130 denied tcp
212.65.32.1(51714) -> 212.224.137.234(174), 1 packet
May  5 09:51:33.457: NAT: TCP s=21->174, d=51714
May  5 09:51:33.457: NAT: s=192.168.3.207->212.224.137.234, d=212.65.32.1
[24678]


May  5 09:52:04.408: NAT: o: tcp (212.65.32.1, 52226) -> (212.224.137.234,
21) [0]
May  5 09:52:04.408: NAT: ipnat_allocate_port: wanted 21 got 175
May  5 09:52:04.412: NAT: created edit_context (192.168.3.207,21) ->
(212.65.32.1,52226)
May  5 09:52:04.412: NAT: i: tcp (192.168.3.207, 21) -> (212.65.32.1, 52226)
[24688]
May  5 09:52:04.432: %SEC-6-IPACCESSLOGP: list 130 denied tcp
212.65.32.1(52226) -> 212.224.137.234(175), 1 packet

Pro Inside global         Inside local          Outside local
Outside global
tcp 212.224.137.234:164   192.168.3.207:80      212.65.32.1:50690
212.65.32.1:50690
tcp 212.224.137.234:169   192.168.3.207:80      212.65.32.1:51202
212.65.32.1:51202
tcp 212.224.137.234:173   192.168.3.207:21      212.65.32.1:51714
212.65.32.1:51714
--- 212.224.137.234       192.168.3.207         ---                   ---
tcp 212.224.137.234:21    192.168.3.207:21      ---                   ---
tcp 212.224.137.235:25    192.168.3.201:25      ---                   ---
udp 212.224.137.233:1083  192.168.3.67:1083     212.65.63.145:53
212.65.63.145:53
tcp 212.224.137.234:80    192.168.3.207:80      ---                   ---




!
interface Loopback0
  ip address 212.224.137.233 255.255.255.255
!
interface Ethernet0/0
 ip address 192.168.3.205 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
 no cdp enable
!
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 no ip mroute-cache
 logging event subif-link-status
 logging event dlci-status-change
 no fair-queue
 frame-relay lmi-type q933a
!        
!
interface Serial0/0.2 point-to-point
 ip unnumbered Loopback0
 ip access-group 130 in
 no ip directed-broadcast
 ip nat outside
 ip inspect premfw out
 no cdp enable
 frame-relay interface-dlci 137   
!
interface Serial0/0.3 point-to-point
 ip unnumbered Loopback0
 ip access-group 130 in
 no ip directed-broadcast
 ip nat outside
 ip inspect premfw out
 no cdp enable
 frame-relay interface-dlci 138   
!
!
ip nat inside source list 1 interface Loopback0 overload
ip nat inside source static 192.168.3.207 212.224.137.234
ip nat inside source static tcp 192.168.3.207 80 212.224.137.234 80
extendable
ip nat inside source static tcp 192.168.3.201 25 212.224.137.235 25
extendable
ip nat inside source static tcp 192.168.3.207 21 212.224.137.234 21
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.2
ip route 0.0.0.0 0.0.0.0 Serial0/0.3 200
access-list 130 deny   ip 172.16.0.0 0.0.255.255 any
access-list 130 permit tcp any host 212.224.137.235 eq smtp
access-list 130 permit tcp any host 212.224.137.234 eq ftp
access-list 130 permit tcp any host 212.224.137.234 eq www
access-list 130 deny   ip 192.168.0.0 0.0.255.255 any
access-list 130 deny   ip 10.0.0.0 0.255.255.255 any
access-list 130 deny   ip 127.0.0.0 0.255.255.255 any
access-list 130 deny   ip 240.0.0.0 15.255.255.255 any
access-list 130 permit icmp any any administratively-prohibited
access-list 130 permit icmp any any echo
access-list 130 permit icmp any any echo-reply
access-list 130 permit icmp any any packet-too-big
access-list 130 permit icmp any any time-exceeded
access-list 130 permit icmp any any traceroute
access-list 130 permit icmp any any unreachable
access-list 130 deny   ip any any log



*****DISCLAIMER*****

This electronic transmission (and any attached document) is intended 
exclusively for the person or entity to whom it is addressed and may 
contain confidential and/or privileged material. 
Any disclosure, copying, distribution or other action  based upon 
the information by persons or entities other than the intended recipient
is prohibited. If you receive this message in error, please contact the 
sender and delete the material from any and all computers. 
Mobistar does not warrant a proper and complete transmission of this
information, nor does it accept liability for any delays.

*****END OF DISCLAIMER*****

More information about the cisco-nsp mailing list