[c-nsp] Leakage with NAT Access list

Imad Buhidma imad at lttnet.net
Sun Oct 2 10:43:20 EDT 2005 



---------- Original Message ----------------------------------
From: Bruce Pinsky <bep at whack.org>
Reply-To: bep at whack.org
Date:  Sat, 01 Oct 2005 19:17:45 -0700

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Imad Buhidma wrote:
>> Hello
>> 
>> We have Weird problem with NAT on CISCO 7200 router, There's  leakage with NAT access list, The nat translation table shows some denied ip addresses can do successful nat . 
>> 
>> The output of "show ip nat translations" command :
>> 
>> Pro   Inside global           Inside local          Outside local         Outside global
>> icmp  xx.xx.61.2:0          64.0.96.42:0          201.19.11.100:0       201.19.11.100:0
>> icmp  xx.xx.61.2:0          64.0.96.42:0          203.59.89.117:0       203.59.89.117:0
>> icmp  xx.xx.61.2:0          64.0.96.42:0          204.96.151.138:0      204.96.151.138:0
>> icmp  xx.xx.61.2:0          64.0.96.42:0          213.10.113.206:0      213.10.113.206:0
>> tcp   xx.xx.61.2:113        64.0.96.42:113        134.181.128.1:33639   134.181.128.1:33639
>> tcp   xx.xx.61.2:113        64.0.96.42:113        209.139.92.14:64944   209.139.92.14:64944
>> tcp   xx.xx.61.2:139        64.0.96.42:139        xx.xx.185.108:4865    xx.xx.185.108:4865
>> tcp   xx.xx.61.2:445        64.0.96.42:445        xx.xx.191.202:2823    xx.xx.191.202:2823
>> udp   xx.xx.61.2:1032       64.0.96.42:1032       64.4.12.201:7001      64.4.12.201:7001
>> tcp   xx.xx.61.8:135        64.132.47.202:135     xx.xx.186.156:1530    xx.xx.186.156:1530
>> tcp   xx.xx.61.8:445        64.132.47.202:445     xx.xx.52.12:3102      xx.xx.52.12:3102
>> udp   xx.xx.61.7:1434       217.139.226.243:1434  222.174.115.18:1032   222.174.115.18:1032
>> tcp   xx.xx.61.7:3128       217.139.226.243:3128  59.188.4.140:60257    59.188.4.140:60257
>> tcp   xx.xx.61.2:1100       172.16.16.216:1902    69.90.63.96:80        69.90.63.96:80
>> tcp   xx.xx.61.2:1174       172.16.16.216:1903    67.15.14.45:80        67.15.14.45:80
>> udp   xx.xx.61.2:1904       172.16.16.216:1904    xx.xx.42.2:53         xx.xx.42.2:53
>> udp   xx.xx.61.2:1905       172.16.16.216:1905    xx.xx.42.2:53         xx.xx.42.2:53
>> tcp   xx.xx.61.2:2464       172.16.16.205:2464    204.127.202.26:25     204.127.202.26:25
>> tcp   xx.xx.61.2:2465       172.16.16.205:2465    66.148.71.105:8712    66.148.71.105:8712
>> 
>> We permit only 172.16.0.0/16 network but we have other ip addresses in nat translations like  64.0.96.42 , 64.132.47.202 and 217.139.226.243
>> 
>> Here is the configuration of the router which is running IOS c7200-js-mz.123-8.T3
>> 
>> 
>> aaa new-model
>> !
>> aaa authentication ppp default group radius local
>> aaa authorization network default group radius local
>> aaa accounting network default start-stop group radius
>> aaa session-id unique
>> ip subnet-zero
>> !
>> bba-group pppoe PRIVATE_IP
>> virtual-template 1
>> !
>> interface GigabitEthernet0/1
>> bandwidth 100000
>> ip address x.x.x.x x.x.x.x
>> ip nat outside
>> ip virtual-reassembly
>> ip route-cache flow
>> duplex auto
>> speed auto
>> media-type rj45
>> no negotiation auto
>> no keepalive
>> no cdp enable
>> !
>> interface ATM1/0
>> no ip address
>> no atm ilmi-keepalive
>> !
>> interface ATM1/0.1 multipoint
>> range pvc 10/35 10/135
>>   protocol pppoe group PRIVATE_IP
>> !
>> range pvc 12/35 12/135
>>   protocol pppoe group PRIVATE_IP
>> !
>> range pvc 13/35 13/135
>>   protocol pppoe group PRIVATE_IP
>> !
>> !
>> interface Virtual-Template1
>> ip unnumbered GigabitEthernet0/1
>> ip access-group 112 in
>> ip mtu 1492
>> ip nat inside
>> ip virtual-reassembly
>> peer ip address forced
>> peer default ip address pool PRIVATE_IP_POOL
>> ppp authentication pap chap
>> !
>> ip local pool PRIVATE_IP_POOL 172.16.0.1 172.16.255.254
>> !
>> ip nat pool NAT_POOL xx.xx.61.1 xx.xx.61.254 netmask 255.255.255.0
>> ip nat inside source list 111 pool NAT_POOL overload
>> !
>> access-list 111 permit ip 172.16.0.0 0.0.255.255 any
>> access-list 111 deny   ip any any
>> access-list 112 deny   ip any 192.168.0.0 0.0.255.255
>> access-list 112 deny   ip any 172.16.0.0 0.15.255.255
>> access-list 112 deny   ip any 10.0.0.0 0.255.255.255
>> access-list 112 permit ip 172.16.0.0 0.0.255.255 any
>> access-list 112 deny   ip any any
>> 
>> 
>> Can anyone explain what's happening?
>> 
>
>The addresses that are in the translation table that don't appear to match
>the access-list are from all over the planet.  One is from an address block
>that belongs to Time Warner Telecom.  Another is from an XO block.  And yet
>another is for NOOR Technologies out of a block allocated to AFRINIC.  So
>to better understand what might be going on, I'm trying to figure out how
>those addresses are transiting your router given the disparate geographies.
>
>Seems like there is part of the picture we are missing.  If I didn't know
>any better, I'd say there was another interface that had NAT enabled on it.
> Now all that being said, I'd look at one of the individual translations to
>determine which interfaces are involved and I'd look at doing some
>debugging of NAT to see why the translation is happening.
>
>- --
>=========
>bep
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.0 (MingW32)
>
>iD8DBQFDP0NJE1XcgMgrtyYRAh0MAKC/pHbUN+rdrLSQ48F6KWvekXCIVQCg1ZAk
>zGuorCuP4FgmO8AL3Oh30kI=
>=CMTD
>-----END PGP SIGNATURE-----
>

More information about the cisco-nsp mailing list