[c-nsp] PAT allowing incoming translations?

Tue Feb 8 10:01:58 EST 2005

I was under the (possibly wrong) impression that PAT does not allow any 
incoming translations unless you specifically define them.  I have a 
router, running PAT, and If I telnet to port 135 of the pools single 
address, it connects me to port 135 of one of my inside windows boxes.

Here is some relevant info:

Cisco 1750 running c1700-k9o3sv3y-mz.122-27.bin

interface FastEthernet0
  ip address 192.168.1.1 255.255.255.0 secondary
  ip address 207.254.213.17 255.255.255.248
  ip nat inside
  ip route-cache same-interface
  speed auto
!
interface Serial0
  ip unnumbered FastEthernet0
  ip nat outside
  crypto map myMap

ip nat pool natpool 207.254.213.19 207.254.213.19 netmask 
255.255.255.248
ip nat inside source route-map nonat pool natpool overload
ip access-list extended noNat
  deny   ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
  deny   ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  deny   ip 192.168.1.0 0.0.0.255 207.254.192.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
  match ip address noNat

I was able to connect like so:

[root at earth signal]# telnet 207.254.213.19 135
Trying 207.254.213.19...
Connected to 207.254.213.19.
Escape character is '^]'.

I first noticed this was happening because the security logs on that 
box were showing attempted
logins for Administrator from IP's on the Internet.  The route-map 
action above is to prevent translation for some vpn's that router is 
also doing.

I cleared the translations and now Its not doing the same behavior, but 
I swear it was happening.

Does anyone have any idea of what may have happened to allow that 
condition to take place?  It was definitely happening for at least 24 
hours, and only now when I clear the translations does it no longer 
allow connections.

Brian

Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.