Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1222
Views
0
Helpful
5
Replies

PAT issue

Petr Stepanek
Level 1
Level 1

‎01-05-2018 01:43 AM - edited ‎03-03-2019 08:42 AM

Hi there,

I would like to ask you about something really strange on my router c4431. IOS is 3.13.04.S, MD, not deferred. 

I have multiple PAT configured as example, with pool of two public address

ip nat pool NAT_10 xxx.32 xxx.33 netmask 255.255.255.240

And now the issue:

sh ip nat translations filter map-id dynamic 10
Pro Inside global Inside local Outside local Outside global
--- xxx.33            192.168.60.5                ---              ---
udp xxx.32:59905 192.168.60.76:61594   yyy:40026   yyy:40026
udp xxx.33:58282 192.168.60.5:58282     zzz:443       zzz:443

 

That means, the PC 192.168.60.5 is accesible from the internet over any port, show command shows the first row as STATIC NAT 1:1(in show command for dynamic), but there are just only PATs in config! Interesting is, there are several rows with same inside local address as you can see in row 3. And of course, there are about 50 thousand of other rows and everything is working properly in first view.

I can do "clear ip nat translation" with forced key word and the line will be deleted, but next day or week problem occur again with different local address.

 

But this problem is really dangerous and security risk. Its hard to find right key words about it and find solution. Any Idea? Thanks!

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎01-05-2018 03:25 AM

Hello

Not sure i understand what you are querying here - Can you post the config of the router ( if applicable) as it would probably provide a much clearer understanding of your current NAT setup

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Petr Stepanek
Level 1
Level 1
In response to paul driver

‎01-05-2018 03:56 AM

Hello Paul,

 

there is configuration

 

ip nat pool NAT_10 xxx.32 xxx.33 netmask 255.255.255.240
ip nat inside source list NAT_10 pool NAT_10 overload
ip access-list standard NAT_10
permit 192.168.60.0 0.0.0.255

 

You can see, it is dynamic NAT/PAT. But it sometimes behaves as a static NAT as I mentioned above.

0 Helpful

paul driver
VIP
VIP
In response to Petr Stepanek

‎01-05-2018 05:15 AM - edited ‎01-05-2018 05:16 AM

Hello

Still not sure what you mean by behaving like static nat -Your have nat overload enabled with multiple public address in your nat pool and as such my understanding is that NAT will round robin between those two pubic ip address

 

This would be applicable as and when an inside hosts has not initiated a outside connection for a while so now that public ip will be available to be used via another inside host.

 

res
Paul

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Petr Stepanek
Level 1
Level 1
In response to paul driver

‎01-05-2018 06:46 AM

>Your have nat overload enabled with multiple public address in your nat pool and as such my >understanding is that NAT will round robin >between those two pubic ip address

 

true, I agree, there should be a some kind of round robin between two public address. But look again at the show command, there is line that looks exactly the same as line corresponding static NAT. This is real commnand from running router and you can see>

Pro     Inside global         Inside local           Outside local           Outside global
---         xxx.33            192.168.60.5              ---                        ---


And I can confirm, that due to this line is computer on inside side accessible from outside, that was tested.

Has somebody seen this kind of bug ?

0 Helpful

paul driver
VIP
VIP
In response to Petr Stepanek

‎01-06-2018 01:01 AM - edited ‎01-06-2018 03:01 AM

Hello

Ha yes I understand now what you are querying, Apologies just couldn't see it!

 

Yes it does seem strange what’s looks like a static NAT ghost entry - Are you able:


1) reload the router

or

2) change to NVI nat

 

Option 2 - you should be able to transition without dropping any traffic

 

ip nat source list NAT_10 pool NAT_10 overload

int x/x
description WAN
ip nat enable
no ip nat outside

int x/x
description LAN
ip nat enable

no ip nat inside

 

No ip nat inside source list NAT_10 pool NAT_10 overload

 

sh ip nat nvi translations 

res
Paul

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents