[c-nsp] Leakage with NAT Access list

Bruce Pinsky bep at whack.org
Sat Oct 1 22:17:45 EDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Imad Buhidma wrote:
> Hello
> 
> We have Weird problem with NAT on CISCO 7200 router, There's  leakage with NAT access list, The nat translation table shows some denied ip addresses can do successful nat . 
> 
> The output of "show ip nat translations" command :
> 
> Pro   Inside global           Inside local          Outside local         Outside global
> icmp  xx.xx.61.2:0          64.0.96.42:0          201.19.11.100:0       201.19.11.100:0
> icmp  xx.xx.61.2:0          64.0.96.42:0          203.59.89.117:0       203.59.89.117:0
> icmp  xx.xx.61.2:0          64.0.96.42:0          204.96.151.138:0      204.96.151.138:0
> icmp  xx.xx.61.2:0          64.0.96.42:0          213.10.113.206:0      213.10.113.206:0
> tcp   xx.xx.61.2:113        64.0.96.42:113        134.181.128.1:33639   134.181.128.1:33639
> tcp   xx.xx.61.2:113        64.0.96.42:113        209.139.92.14:64944   209.139.92.14:64944
> tcp   xx.xx.61.2:139        64.0.96.42:139        xx.xx.185.108:4865    xx.xx.185.108:4865
> tcp   xx.xx.61.2:445        64.0.96.42:445        xx.xx.191.202:2823    xx.xx.191.202:2823
> udp   xx.xx.61.2:1032       64.0.96.42:1032       64.4.12.201:7001      64.4.12.201:7001
> tcp   xx.xx.61.8:135        64.132.47.202:135     xx.xx.186.156:1530    xx.xx.186.156:1530
> tcp   xx.xx.61.8:445        64.132.47.202:445     xx.xx.52.12:3102      xx.xx.52.12:3102
> udp   xx.xx.61.7:1434       217.139.226.243:1434  222.174.115.18:1032   222.174.115.18:1032
> tcp   xx.xx.61.7:3128       217.139.226.243:3128  59.188.4.140:60257    59.188.4.140:60257
> tcp   xx.xx.61.2:1100       172.16.16.216:1902    69.90.63.96:80        69.90.63.96:80
> tcp   xx.xx.61.2:1174       172.16.16.216:1903    67.15.14.45:80        67.15.14.45:80
> udp   xx.xx.61.2:1904       172.16.16.216:1904    xx.xx.42.2:53         xx.xx.42.2:53
> udp   xx.xx.61.2:1905       172.16.16.216:1905    xx.xx.42.2:53         xx.xx.42.2:53
> tcp   xx.xx.61.2:2464       172.16.16.205:2464    204.127.202.26:25     204.127.202.26:25
> tcp   xx.xx.61.2:2465       172.16.16.205:2465    66.148.71.105:8712    66.148.71.105:8712
> 
> We permit only 172.16.0.0/16 network but we have other ip addresses in nat translations like  64.0.96.42 , 64.132.47.202 and 217.139.226.243
> 
> Here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3
> 
> 
> aaa new-model
> !
> aaa authentication ppp default group radius local
> aaa authorization network default group radius local
> aaa accounting network default start-stop group radius
> aaa session-id unique
> ip subnet-zero
> !
> bba-group pppoe PRIVATE_IP
> virtual-template 1
> !
> interface GigabitEthernet0/1
> bandwidth 100000
> ip address x.x.x.x x.x.x.x
> ip nat outside
> ip virtual-reassembly
> ip route-cache flow
> duplex auto
> speed auto
> media-type rj45
> no negotiation auto
> no keepalive
> no cdp enable
> !
> interface ATM1/0
> no ip address
> no atm ilmi-keepalive
> !
> interface ATM1/0.1 multipoint
> range pvc 10/35 10/135
>   protocol pppoe group PRIVATE_IP
> !
> range pvc 12/35 12/135
>   protocol pppoe group PRIVATE_IP
> !
> range pvc 13/35 13/135
>   protocol pppoe group PRIVATE_IP
> !
> !
> interface Virtual-Template1
> ip unnumbered GigabitEthernet0/1
> ip access-group 112 in
> ip mtu 1492
> ip nat inside
> ip virtual-reassembly
> peer ip address forced
> peer default ip address pool PRIVATE_IP_POOL
> ppp authentication pap chap
> !
> ip local pool PRIVATE_IP_POOL 172.16.0.1 172.16.255.254
> !
> ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask 255.255.255.0
> ip nat inside source list 111 pool NAT_POOL overload
> !
> access-list 111 permit ip 172.16.0.0 0.0.255.255 any
> access-list 111 deny   ip any any
> access-list 112 deny   ip any 192.168.0.0 0.0.255.255
> access-list 112 deny   ip any 172.16.0.0 0.15.255.255
> access-list 112 deny   ip any 10.0.0.0 0.255.255.255
> access-list 112 permit ip 172.16.0.0 0.0.255.255 any
> access-list 112 deny   ip any any
> 
> 
> Can anyone explain what's happening?
> 

The addresses that are in the translation table that don't appear to match
the access-list are from all over the planet.  One is from an address block
that belongs to Time Warner Telecom.  Another is from an XO block.  And yet
another is for NOOR Technologies out of a block allocated to AFRINIC.  So
to better understand what might be going on, I'm trying to figure out how
those addresses are transiting your router given the disparate geographies.

Seems like there is part of the picture we are missing.  If I didn't know
any better, I'd say there was another interface that had NAT enabled on it.
 Now all that being said, I'd look at one of the individual translations to
determine which interfaces are involved and I'd look at doing some
debugging of NAT to see why the translation is happening.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDP0NJE1XcgMgrtyYRAh0MAKC/pHbUN+rdrLSQ48F6KWvekXCIVQCg1ZAk
zGuorCuP4FgmO8AL3Oh30kI=
=CMTD
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list