Solved: Help with Static UDP PAT on 2901/K9

longboringusername · ‎10-09-2014

Good day,

I am having trouble setting up a PAT rule for a UDP based service on our 2901/K9. I have a server that presents its services on ports 9090 TCP and 9090 UDP. It works fine within the network, but outside the network I cannot get the UDP side working. Not sure what is tripping this up.. On our ASa I would use Packet Tracer to help find the issue, but since the 2901 does not have that I have not been able to find the issue

The applicable rules look like this (below), and the tcp related rules are working but the udp ones do not seem to be working at all..

ip nat inside source static tcp <PRIVATE IP> 9090 <PUBLIC IP> 9090 extendable

ip nat inside source static udp <PRIVATE IP> 9090 <PUBLIC IP> 9090 extendable

ip access-list extended INFILTER
permit tcp any host <PUBLIC IP> eq 9090

permit udp any host <PUBLIC IP> eq 9090

ip access-list extended OUTFILTER
permit tcp any any

permit udp any any

The firewall app is in use with the default UDP and TCP inspection filter (along with dns rtsp etc), but I don't think there is anything in the inspections tied to this specific udp port.

Any help would be appreciated !

Dave

jc84_ · ‎10-09-2014

Wish I had a router running IOS doing NAT right now... Sigh.

- 'show access-list'

- 'show ip nat translations'

View solution in original post

jc84_ · ‎10-09-2014

Hi Dave,

Your NAT looks good. Can you post any debugs of the UDP NAT or show command output from your ACLs or NAT hits?

longboringusername · ‎10-09-2014

Hello Jefe,

It´s a prduction router(24/7) so I hesitate to run debugs on it.. Not sure how to see the ACL or NAT hits, would definitely appreciate pointers on that.

jc84_ · ‎10-09-2014

Wish I had a router running IOS doing NAT right now... Sigh.

- 'show access-list'

- 'show ip nat translations'

longboringusername · ‎10-09-2014

Jefe..

Below is the output. Nothing leaps out other than the complete lack of hits.

(and my redundant items on the outbound list)

show access-list (sanitized and only showing this IP)

Extended IP access list INFILTER
50 permit icmp any any (524 matches)
240 permit tcp any host <Host Public IP> eq www (137238 matches)
250 permit tcp any host <Host Public IP> eq 3389 (837752 matches)
280 permit tcp any eq 443 host <Host Public IP> eq 443
390 permit tcp any host <Host Public IP> eq www (22259 matches)
460 permit tcp any host <Host Public IP> eq 9090
470 permit tcp any host <Host Public IP> eq 5060
480 permit udp any host <Host Public IP> eq 5060 (4 matches)
490 permit udp any host <Host Public IP> eq 9090

Extended IP access list NAT
10 permit ip 192.168.0.0 0.0.0.255 any (31425 matches)

Extended IP access list OUTFILTER
10 permit ip any any (739803 matches)
20 permit tcp any any
30 permit udp host 192.168.0.104 any
40 permit udp host 192.168.0.100 any
50 permit udp any any

sh ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp <Host Public IP>:80 192.168.0.104:80 164.77.39.167:50025 164.77.39.167:50025
tcp <Host Public IP>:80 192.168.0.104:80 164.77.39.167:50026 164.77.39.167:50026
tcp <Host Public IP>:80 192.168.0.104:80 164.77.39.167:50027 164.77.39.167:50027
tcp <Host Public IP>:80 192.168.0.104:80 165.182.186.131:51844 165.182.186.131:51844
tcp <Host Public IP>:80 192.168.0.104:80 165.182.186.131:62163 165.182.186.131:62163
tcp <Host Public IP>:80 192.168.0.104:80 --- ---
tcp <Host Public IP>:5060 192.168.0.104:5060 --- ---
udp <Host Public IP>:5060 192.168.0.104:5060 --- ---
tcp <Host Public IP>:9090 192.168.0.104:9090 --- ---
udp <Host Public IP>:9090 192.168.0.104:9090 --- ---
tcp <Host Public IP>:3460 192.168.0.106:3460 --- ---

Other

jc84_ · ‎10-09-2014

I noticed your in the 400+ range with your INFILTER ACL - any chance this is an order of operations issue. For example, are you hitting another rule lower in the ACL.

longboringusername · ‎10-09-2014

I Don't think so..

The others are all specific to the public IPs and they are solely permits so they should not apply to this particular IP/Port. There are no other UDP rules other than for port 53 on the other hosts.

I am going to check if our provider has any upstream UDP filters in place, I cannot account for this so far. Do you know of any global settings that would affect only UDP (I don't remember any in this router, but I'm looking through the config again now).

Dave

Alex Sanchez Jimenez · ‎10-09-2014

Hello Dave,

What kind of application are you using? It might be the NAT ALG dropping this connection.

In other cases ISPs tend to block certain ports, have you checked with them and make sure you can get to that port from the outside world?

Regards,

Alex Sanchez

CCIE R&S #37454

longboringusername · ‎10-10-2014

Hi Alex and Jefe,

Found the problem. It was a combination of an external filter (switched the UDP port of App), and a split DNS issue sending external users to a different IP. The first only clobbered UDP, the second clobbered all external access.

Went through everything one step at a time last night and found both issues.

Jefe- thanks for suggesting looking at access-list hits it was the zero count on the TCP nat that made me look at DNS, even with UDP issues the DNS should have matched the hits on UDP.

Even though it wasn't the 'precise' issue I am marking your response as correct because it pointed me in the right direction.

Thanks to both of you for your help !

Dave