NAT ACL Questions
 




IT Certification FAQ
 
|
Home
 |
Microsoft
 |
CISCO
 |
CompTIA
 |
Exam/Study FAQ
 |
Employment FAQ
 | Links  | Forums  |
Book Reviews


FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  ProfileProfile  Log in to check your private messagesPrivate messages  Log inLog in

NAT ACL Questions

 
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco
Author Message
Guest
PostPosted: Thu Oct 25, 2007 8:07 pm    Post subject: NAT ACL Questions Reply with quote
Hi,

I am having an 'interesting' time trying to figure out some log
entries associated with NAT on IOS 12.4 on a 28xx router. Here
are some relivant snippits of the config:

interface GigabitEthernet0/0
description Uplink to Internet
ip address STATIC.NETBLOCK.IP.253 255.255.255.224
ip access-group internet-in in
ip nat outside
...
!
interface GigabitEthernet0/1
description Downlink from firewall
ip address WAN.NETBLOCK.1.253 255.255.255.252
ip nat inside
...
!
ip nat pool corp-natpool STATIC.NETBLOCK.IP.251 STATIC.NETBLOCK.IP.252
prefix-length 27
ip nat inside source list 10 pool corp-natpool overload
ip nat inside source static tcp A.WAN.NETBLOCK.IP PORT_I
STATIC.NETBLOCK.IP.250 PORT_O extendable
.... more static NATs ...
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 deny any log
!


I used 'log' on the deny to see if any internal systems were spoofing
IPs. (Yes, I know that 'deny' does not deny access, and that it only
indicates that the packet is not NAT-ed.) The resulting log messages
were 'interesting' and really did not make a lot of sense:

list 10 denied 0 0.0.0.0 -> A.STATIC.NAT.IP, 6 packets
list 10 denied 0 0.0.0.0 -> A.DYNAMIC.NAT.IP, 7 packets
list 10 denied 0 0.0.0.0 -> A.ROUTED.INTERNET.IP, 8 packets

Not sure where my nul source IPs were coming from, I put ACLs on each
interface to log them inbound, but I never saw any. Thus, I came to
the
conclusion the router must be generating them. Next, I started
sniffing
(tshark) outbound traffic, but again never saw any nul source IPs.

Figuring the standard ACLs were not giving me enough information, I
made
the following configuration changes:

ip access-list extended ip-nat-pool
permit ip 10.0.0.0 0.255.255.255 any
deny ip any any log-input
!
ip nat inside source list ip-nat-pool pool corp-natpool overload
no ip nat inside source list 10 pool corp-natpool overload


Now, I started getting some really interesting output!

list ip-nat-pool denied udp A.ROUTED.INTERNET.IP(0)
(GigabitEthernet0/1 ) -> A.ROUTED.INTERNET.IP(0), 1 packet
list ip-nat-pool denied udp A.STATIC.NETBLOCK.IP(0)
(GigabitEthernet0/1 ) -> A.ROUTED.INTERNET.IP(0), 1 packet
list ip-nat-pool denied udp STATIC.NETBLOCK.IP.253(0) ->
A.ROUTED.INTERNET.IP(0), 1 packet
list ip-nat-pool denied tcp A.STATIC.NETBLOCK.IP(0) ->
A.ROUTED.INTERNET.IP(0), 6 packets
list ip-nat-pool denied icmp A.STATIC.NETBLOCK.IP ->
A.ROUTED.INTERNET.IP (0/0), 2 packets

A few observations:
1) Only UDP packets ever generate an interface name associated with
the log message, and then, only IP addresses that are NOT the IP
assigned to the Internet facing interface. More interestingly,
many of the UDP packets claim to have a global IP address
originating from an interface that has on WAN IPs. (I have
sniffed
the network to ensure that no global IPs are actually inbound to
the GigabitEthernet0/1 interface.)

2) All UDP and TCP source and destination ports are "0" and all ICMP
is type "0/0". In addition, the ICMP Echo Reply (0/0) is NOT sent
in response to an ICMP Echo Request.

3) The original standard ACLs appear to be logging completely
different information for the same event. That is, protocol=0
and
source_IP=0.0.0.0 for standard ACLs vs. UPD or TCP traffice with
varying source IPs, but with source and destination port=0, or
ICMP 0/0 entries with similar characteristics.

Question! Can anyone explain these observed behaviors?


Now, this is what I **REALLY** do not understand. Consider the
following:

host-behind-firewall$ ping -c3 scanme.insecure.org
.... ping works, output deleted...

Router log entry with same time stamp as start of ping:
list ip-nat-pool denied udp 205.217.153.62(0) (GigabitEthernet0/1 ) ->
FWD.NAME.SERVER.IP(0), 1 packet

host-behind-firewall$ host scanme.insecure.org
scanme.insecure.org has address 205.217.153.62


Question! Why does some activity associated with the ping (clearly,
not the name server lookup) cause router to generate a UDP packet
that appears to originate from interface to the firewall, and have
a source IP of the address to be pinged and a destination address
(global IP) of the name server doing the lookup?


I would really like to understand what is going on here. Any help
GREATLY appreciated!
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Forum Index -> comp.dcom.sys.cisco All times are GMT
Page 1 of 1

 

Copyright © 2002-2006 Web-S-Sense Pty. Ltd. All rights reserved.

Powered by phpBB
Advertising | Policies/Disclaimers | Contact us | Link to us

Featured Sites: Free Antivirus and Antispyware Info | Free PC Support | MCSE Directory