[c-nsp] PAT allowing incoming translations?

WILDE, David David.WILDE at neuf.com
Tue Feb 8 10:36:22 EST 2005


Hi Brian,

I've seen possibly the reverse of this, which maybe sheds some light... In
that case it actually related to port 138; after replacing a 827 with a 837
we found that an NT box on the inside of the NAT can't reach the domain
controller any more.  On further inspection it appeared that when the client
contacts the domain controller, the traffic arrives at the domain controller
coming from a different port to 138 (due to the nat), however the domain
controller sends the response back on port 138 - and the 827 automatically
created a PAT entry to allow the traffic to reach the client.  On the 837
this doesn't happen.

So I'm guessing that your windows box had sent some traffic out - then when
you telnetted in, the router did the automatic creation thing I mentioned.
After you cleared the translation table the router applied at least a
minimal bit of security and blocked the incoming connection since it wasn't
have been in response to an outgoing request.

Just a possibility anyhow ;-)  Let me know how to get an 837 to start doing
it if you can...

David

-----Message d'origine-----
De : cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] De la part de Brian Feeny
Envoyé : mardi 8 février 2005 16:02
Objet : [c-nsp] PAT allowing incoming translations?


I was under the (possibly wrong) impression that PAT does not allow any 
incoming translations unless you specifically define them.  I have a 
router, running PAT, and If I telnet to port 135 of the pools single 
address, it connects me to port 135 of one of my inside windows boxes.

<snip>

Does anyone have any idea of what may have happened to allow that 
condition to take place?  It was definitely happening for at least 24 
hours, and only now when I clear the translations does it no longer 
allow connections.

Brian


More information about the cisco-nsp mailing list