[c-nsp] Not Understanding How External IPs Are Appearing In Show IPNAT Statistics Output

Spencer Barnes spencer at ceiva.com
Tue Feb 26 15:09:32 EST 2008 

Actually I think you are right.  I checked my Netflow archives and I see traffic trying to hit that 172.30.50.207 IP that matches what showed in the output of show ip nat statistics.  I've removed the translation as it wasn't needed anymore and hopefully those entries will timeout.  

Spencer


-----Original Message-----
From: Spencer Barnes 
Sent: Tuesday, February 26, 2008 11:25 AM
To: 'Darryl Dunkin'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Not Understanding How External IPs Are Appearing In Show IPNAT Statistics Output

I did that earlier looking for those external IPs and not one of them was in the show ip nat translations output.  I got rid of the static translation for 172.30.50.207 just to see if that had any effect but it did not.  Since I made the first post, I've seen new external IPs show up in the output (I excluded the 172.30.50.0/24 subnet):

show ip nat statistics | e 172.30
Total active translations: 264 (0 static, 264 dynamic; 264 extended)
Outside interfaces:
  Serial1/0
Inside interfaces: 
  FastEthernet2/0
Hits: 14609  Misses: 613
CEF Translated packets: 15222, CEF Punted packets: 0
Expired translations: 877
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 110 pool poolone refcount 264
 pool poolone: netmask 255.255.255.192
        start 67.135.115.140 end 67.135.115.140
        type generic, total addresses 1, allocated 1 (100%), misses 0
nat-limit statistics:
 All Host Max allowed: 300
 host 219.153.40.149: max allowed 512, used 0, missed 0
 host 192.168.60.94: max allowed 512, used 0, missed 0
 host 192.168.60.95: max allowed 512, used 0, missed 0
 host 218.234.41.8: max allowed 512, used 0, missed 0
 host 195.205.161.184: max allowed 300, used 0, missed 0
 host 192.168.60.96: max allowed 300, used 0, missed 0
 host 192.168.60.97: max allowed 300, used 0, missed 0
 host 192.168.60.98: max allowed 300, used 0, missed 0
 host 221.7.183.84: max allowed 512, used 0, missed 0
 host 24.80.204.208: max allowed 300, used 0, missed 0
 host 192.168.60.10: max allowed 512, used 0, missed 0
 host 97.89.174.201: max allowed 300, used 0, missed 0
 host 192.168.60.11: max allowed 512, used 0, missed 0
 host 125.37.250.194: max allowed 300, used 0, missed 0
 host 62.34.97.24: max allowed 300, used 0, missed 0
 host 222.161.2.23: max allowed 300, used 0, missed 0
 host 123.123.236.129: max allowed 512, used 0, missed 0
 host 60.166.7.242: max allowed 300, used 0, missed 0
 host 221.209.110.13: max allowed 300, used 0, missed 0
 host 137.78.158.42: max allowed 512, used 0, missed 0
 host 66.50.11.14: max allowed 300, used 0, missed 0
 host 218.63.236.143: max allowed 300, used 0, missed 0
 host 202.97.238.202: max allowed 300, used 0, missed 0
 host 124.191.158.205: max allowed 300, used 0, missed 0
 host 58.244.204.154: max allowed 300, used 0, missed 0
 host 121.14.136.101: max allowed 512, used 0, missed 0
 host 218.3.134.250: max allowed 512, used 0, missed 0
 host 88.247.81.84: max allowed 512, used 0, missed 0
 host 67.53.115.181: max allowed 300, used 0, missed 0
 host 136.1.7.55: max allowed 300, used 0, missed 0
 host 202.99.11.99: max allowed 300, used 0, missed 0
 host 67.135.217.194: max allowed 300, used 0, missed 0
 host 218.233.198.25: max allowed 512, used 0, missed 0
 host 58.221.252.230: max allowed 512, used 0, missed 0
Queued Packets: 0

_______________________
Spencer Barnes
Network Administrator
CEIVA Logic, Inc.
spencer at ceiva.com


-----Original Message-----
From: Darryl Dunkin [mailto:ddunkin at netos.net] 
Sent: Tuesday, February 26, 2008 11:14 AM
To: Spencer Barnes; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Not Understanding How External IPs Are Appearing In Show IPNAT Statistics Output

Try "show ip nat translations" instead (if too much, add " | i
218.233.198.25" to that).

You'll get a raw output on the source and destination. Chances are these
will match up to your static translation with 172.30.50.207.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Spencer Barnes
Sent: Tuesday, February 26, 2008 09:34
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Not Understanding How External IPs Are Appearing In
Show IPNAT Statistics Output

Hello,

 

I'm seeing something I don't understand in the output of the show ip nat
statistics command.  Our border router has two interfaces, a DS3 and an
uplink to our core router.  The border router is running NAT on the
uplink interface to allow particular LAN users access through the DS3 on
one external IP.  

 

Here is the NAT config:

 

ip nat translation timeout 28800

ip nat translation tcp-timeout 3600

ip nat translation max-entries all-host 300

ip nat pool poolone xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
255.255.255.192

ip nat inside source list 110 pool poolone overload

ip nat inside source static 172.30.50.207 xxx.xxx.xxx.xxx  

 

access-list 110 remark ----NAT Rules----

access-list 110 deny   ip 172.30.50.0 0.0.0.255 172.30.100.0 0.0.0.255

access-list 110 permit ip 172.30.50.0 0.0.0.255 any

access-list 110 permit ip host 192.168.60.10 any

access-list 110 permit ip host 192.168.60.11 any

access-list 110 permit ip host 192.168.60.22 any

access-list 110 permit ip host 192.168.60.30 any

access-list 110 permit ip host 192.168.60.31 any

access-list 110 permit ip host 192.168.60.115 any

access-list 110 permit ip host 192.168.60.94 any

access-list 110 permit ip host 192.168.60.95 any

access-list 110 permit ip host 192.168.60.96 any

access-list 110 permit ip host 192.168.60.97 any

access-list 110 permit ip host 192.168.60.98 any

 

show ip nat statistics command output:

 

xxxxxx#show ip nat statistics 

Total active translations: 387 (1 static, 386 dynamic; 386 extended)

Outside interfaces:

  Serial1/0

Inside interfaces: 

  FastEthernet2/0

Hits: 135555  Misses: 3730

CEF Translated packets: 139179, CEF Punted packets: 234

Expired translations: 3271

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 110 pool poolone refcount 386

 pool poolone: netmask 255.255.255.192

        start xxx.xxx.xxx.xxx end xxx.xxx.xxx.xxx

        type generic, total addresses 1, allocated 1 (100%), misses 0

nat-limit statistics:

 All Host Max allowed: 300

 host 172.30.50.128: max allowed 512, used 1, missed 0

 host 219.153.40.149: max allowed 512, used 0, missed 0

 host 172.30.50.131: max allowed 300, used 5, missed 0

 host 192.168.60.94: max allowed 512, used 0, missed 0

 host 192.168.60.95: max allowed 512, used 0, missed 0

 host 218.234.41.8: max allowed 512, used 0, missed 0

 host 221.7.183.84: max allowed 512, used 0, missed 0

 host 172.30.50.196: max allowed 512, used 0, missed 0

 host 172.30.50.201: max allowed 512, used 0, missed 0

 host 192.168.60.10: max allowed 512, used 0, missed 0

 host 192.168.60.11: max allowed 512, used 0, missed 0

 host 222.161.2.23: max allowed 300, used 0, missed 0

 host 123.123.236.129: max allowed 512, used 0, missed 0

 host 137.78.158.42: max allowed 512, used 0, missed 0

 host 172.30.50.5: max allowed 512, used 6, missed 0

 host 218.63.236.143: max allowed 300, used 0, missed 0

 host 172.30.50.9: max allowed 512, used 0, missed 0

 host 172.30.50.21: max allowed 512, used 3, missed 0

 host 172.30.50.22: max allowed 512, used 0, missed 0

 host 172.30.50.23: max allowed 512, used 2, missed 0

 host 172.30.50.24: max allowed 512, used 3, missed 0

 host 172.30.50.25: max allowed 512, used 4, missed 0

 host 121.14.136.101: max allowed 512, used 0, missed 0

host 218.3.134.250: max allowed 512, used 0, missed 0

 host 172.30.50.41: max allowed 512, used 22, missed 0

 host 88.247.81.84: max allowed 512, used 0, missed 0

host 172.30.50.105: max allowed 512, used 1, missed 0

 host 218.233.198.25: max allowed 512, used 0, missed 0

 host 58.221.252.230: max allowed 512, used 0, missed 0

Queued Packets: 0

 

The 172.30.50.0/24 subnet is used by our users.  Why are IPs from
external networks showing up in this output, such as 218.233.198.25 and
58.221.252.230?  Shouldn't the only IPs in this command output be the
ones I permitted via the ACL?

 

Thank you for your help,

 

Spencer

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list