cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
240
Views
0
Helpful
1
Replies

log packets flowing through NAT?

crock
Level 1
Level 1

I'm trying to troubleshoot a problem with accessing a server behind NAT on a Cisco 7204 with NPE-G1 and IOS 12.4

I have access-lists permitting traffic with the IP I'm interested in and log-input.

I have those applied to all interfaces, inside and out, and the inside interface ACL's have the internal IP of interest.

I have traffic being logged upstream from a similar router with similar ACL's, but nothing from this router doing NAT.

it's like the packets are not triggering the ACL's to log their traversal.

What am I missing? Is there another way to log these packets to make sure they are flowing in and out of this device?

Thanks,

Chuck

7204 config

interface GigabitEthernet0/1
description Outside public ethernet interface
ip access-group 113 in
ip access-group 114 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
rate-limit input access-group 185 60000000 1500000 3000000 conform-action continue exceed-action drop
rate-limit output access-group 185 60000000 1500000 3000000 conform-action continue exceed-action drop
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface GigabitEthernet0/2
description Inside private ethernet
ip access-group 134 in
no ip redirects
no ip proxy-arp
ip flow ingress
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 EIGRPkey
ip nat inside
ip virtual-reassembly
ip policy route-map WLAN
duplex auto
speed auto
media-type rj45
no negotiation auto
!

access-list 113 permit tcp any host 6.9.6.242 eq 443 log-input ACL-tag
access-list 113 permit tcp host 6.9.6.242 any eq 443 log-input ACL-tag
access-list 113 permit ip any any

access-list 114 permit tcp any host 6.9.6.242 eq 443 log-input ACL-tag
access-list 114 permit tcp host 6.9.6.242 any eq 443 log-input ACL-tag
access-list 114 permit ip any any

access-list 134 permit tcp host 10.0.1.139 any eq 443 log-input ACL-tag
access-list 134 permit tcp any host 10.0.1.139 eq 443 log-input ACL-tag
access-list 134 permit ip any any

ip nat pool test1 6.9.6.242 6.9.6.242 netmask 255.255.255.248

ip nat inside source list 14 pool test1 overload

ip nat inside source static tcp 10.0.1.139 443 6.9.6.242 443 extendable

access-list 14 remark test1 pool
access-list 14 permit 10.0.1.139

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

Hi

You're not getting any logs because they are passing through the permit ip any any.

You are missing on ACL 114

 access-list permit tcp hos 6.9.6.242 eq 443 any 

You are missing on ACL 134

 access-list 134 permit tcp host 10.0.1.139 eq 443 any

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question