You will note that I

Garry Cross · ‎05-31-2016

I am trying to figure out where these entries are coming from.

Here is an example. First two octets are fake. There are many like it.

Pro Inside global Inside local Outside local Outside global

tcp 100.100.243.82:15 100.100.243.82:23 89.120.185.48:39666 89.120.185.48:39666
create 07:06:28, use 07:06:28 timeout:86400000, left 16:53:31, Map-Id(In): 9,
flags:

From the looks of it an Internet host is connected to the outside address of the router on port 15 and is nat'ed to port 23.

This would not make sense as the outside access-list does not permit that port to be allowed.

Router does have this nat statement and is running ip inspect on the outside interface.

ip nat inside source route-map nonat interface FastEthernet4 overload

It also has a bunch of inside static entries all of which are using port translation ie:

ip nat inside source static tcp 192.168.2.32 22 interface FastEthernet4 2113

This produces this translate entry.

tcp 100.100.243.82:2113 192.168.2.32:22 --- ---

Searching the ip inspect table does not produce a hit for 89.120.185.48.

Mark Malone · ‎06-01-2016

That address is owned by Romania telecoms 89.120.185.48, I would check the pc that's communicating with it , use a wireshark may show more

IP:	89.120.185.48
Decimal:	1501083952
Hostname:	89.120.185.48
ASN:	9050
ISP:	Telekom Romania Communication S.A
Organization:	Telekom Romania Communication S.A

Garry Cross · ‎06-01-2016

There are multiple of these Global addresses. Since there isn't a inside local from 192.168.2.0/24 listed in the translation, the inside local is the router itself, and the global port numbers are ephemeral it makes me think these are the result of being scanned by these various global addresses. What is weird is why they show up when the ACL would block those first.

This is a legit vpn connection to the router.
udp 100.100.243.82:4500   100.100.243.82:4500   76.68.77.190:50717    76.68.77.190:50717

Here is a sample, with some legit entries for a website and some connections to the router from the same global address.
tcp 100.100.243.82:1026   100.100.243.82:1025   199.71.174.13:443     199.71.174.13:443
tcp 100.100.243.82:1066   100.100.243.82:51023 199.71.174.13:443     199.71.174.13:443
tcp 100.100.243.82:1044   100.100.243.82:65342 199.71.174.13:443     199.71.174.13:443
tcp 100.100.243.82:2977   192.168.2.129:2977    199.71.174.13:443     199.71.174.13:443
tcp 100.100.243.82:50503 192.168.2.137:50503   199.71.174.13:443     199.71.174.13:443
tcp 100.100.243.82:50505 192.168.2.137:50505   199.71.174.13:443     199.71.174.13:443

I did a test with cmdline telnet to a port "telnet 100.100.243.82 15" for example
This is what shows up.
tcp 100.100.243.82:30 100.100.243.82:10 76.68.77.190:51129 76.68.77.190:51129

So weird.

I added deny ip any any log to the access-list.

Got a log entry for an ip hitting the router on port 161.

The translate was there but disappeared after a timeout. Same occurs for other random packets.

tcp 100.100.243.82:161 100.100.243.82:161 93.174.93.94:54565 93.174.93.94:54565

Mario Grozdanovic · ‎06-01-2016

Garry, FYI

It appears that your 100.100.x.x is a Shared Address Space https://tools.ietf.org/html/rfc6598, and is used by carriers for Carrier-grade NAT

Garry Cross · ‎06-02-2016

You will note that I mentioned in the original post, the first two octets are fake. I do not want to publish the real address.

Weird translate entries in IOS.