04-12-2011 02:16 PM - edited 03-06-2019 04:35 PM
Hello, friends.
I have recently noticed this when I issue the "sh ip nat trans" command:
Pro Inside global Inside local Outside local Outside global
icmp my_public_ip:14743 my_public_ip:14743 69.63.179.125:14743 69.63.179.125:14743
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47517 58.1.251.89:47517
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47521 58.1.251.89:47521
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47527 58.1.251.89:47527
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47609 58.1.251.89:47609
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47616 58.1.251.89:47616
tcp my_public_ip:30796 my_public_ip:30796 58.1.251.89:47618 58.1.251.89:47618
tcp my_public_ip:30796 my_public_ip:30796 69.124.206.138:61791 69.124.206.138:61791
tcp my_public_ip:30796 my_public_ip:30796 83.4.197.107:53533 83.4.197.107:53533
tcp my_public_ip:30796 my_public_ip:30796 85.187.224.86:63145 85.187.224.86:63145
tcp my_public_ip:30796 my_public_ip:30796 85.187.224.86:63148 85.187.224.86:63148
tcp my_public_ip:30796 my_public_ip:30796 94.73.42.24:27697 94.73.42.24:27697
tcp my_public_ip:30796 my_public_ip:30796 95.87.199.13:57486 95.87.199.13:57486
tcp my_public_ip:30796 my_public_ip:30796 122.31.247.184:4756 122.31.247.184:4756
tcp my_public_ip:30796 my_public_ip:30796 122.122.146.45:2284 122.122.146.45:2284
tcp my_public_ip:30796 my_public_ip:30796 125.54.147.145:51824 125.54.147.145:51824
tcp my_public_ip:30796 my_public_ip:30796 125.54.147.145:52043 125.54.147.145:52043
udp my_public_ip:30796 my_public_ip:30796 79.113.189.78:27135 79.113.189.78:27135
udp my_public_ip:30796 my_public_ip:30796 79.186.53.150:40639 79.186.53.150:40639
udp my_public_ip:30796 my_public_ip:30796 92.205.46.6:24006 92.205.46.6:24006
udp my_public_ip:30796 my_public_ip:30796 118.44.46.81:24845 118.44.46.81:24845
udp my_public_ip:30796 my_public_ip:30796 125.165.17.87:10006 125.165.17.87:10006
tcp my_public_ip:38097 my_public_ip:38097 79.100.85.103:3022 79.100.85.103:3022
udp my_public_ip:42915 my_public_ip:42915 212.21.137.246:50809 212.21.137.246:50809
tcp my_public_ip:50138 my_public_ip:50138 110.66.1.59:54475 110.66.1.59:54475
tcp my_public_ip:51411 my_public_ip:51411 78.90.249.91:61693 78.90.249.91:61693
tcp my_public_ip:54577 my_public_ip:54577 1.36.80.103:65448 1.36.80.103:65448
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47519 58.1.251.89:47519
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47524 58.1.251.89:47524
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47530 58.1.251.89:47530
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47603 58.1.251.89:47603
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47608 58.1.251.89:47608
tcp my_public_ip:54577 my_public_ip:54577 58.1.251.89:47614 58.1.251.89:47614
tcp my_public_ip:54577 my_public_ip:54577 77.35.182.106:62961 77.35.182.106:62961
tcp my_public_ip:54577 my_public_ip:54577 83.4.197.107:53697 83.4.197.107:53697
tcp my_public_ip:54577 my_public_ip:54577 85.187.224.86:63144 85.187.224.86:63144
tcp my_public_ip:54577 my_public_ip:54577 85.187.224.86:63147 85.187.224.86:63147
tcp my_public_ip:54577 my_public_ip:54577 94.73.42.24:41475 94.73.42.24:41475
tcp my_public_ip:54577 my_public_ip:54577 94.208.30.218:49193 94.208.30.218:49193
tcp my_public_ip:54577 my_public_ip:54577 95.87.199.13:57489 95.87.199.13:57489
tcp my_public_ip:54577 my_public_ip:54577 110.33.171.85:55136 110.33.171.85:55136
tcp my_public_ip:54577 my_public_ip:54577 122.31.247.184:4737 122.31.247.184:4737
tcp my_public_ip:54577 my_public_ip:54577 125.54.147.145:51925 125.54.147.145:51925
tcp my_public_ip:54577 my_public_ip:54577 175.140.16.140:57174 175.140.16.140:57174
tcp my_public_ip:54577 my_public_ip:54577 180.11.220.118:53039 180.11.220.118:53039
tcp my_public_ip:54577 my_public_ip:54577 212.25.57.71:1395 212.25.57.71:1395
tcp my_public_ip:54577 my_public_ip:54577 219.33.114.54:64597 219.33.114.54:64597
tcp my_public_ip:54577 my_public_ip:54577 220.255.185.218:2682 220.255.185.218:2682
udp my_public_ip:54577 my_public_ip:54577 77.35.182.106:19246 77.35.182.106:19246
udp my_public_ip:54577 my_public_ip:54577 82.160.125.12:58936 82.160.125.12:58936
udp my_public_ip:54577 my_public_ip:54577 82.160.125.12:59905 82.160.125.12:59905
udp my_public_ip:54577 my_public_ip:54577 89.200.144.13:45848 89.200.144.13:45848
udp my_public_ip:54577 my_public_ip:54577 95.30.147.110:24359 95.30.147.110:24359
udp my_public_ip:54577 my_public_ip:54577 219.117.187.4:11422 219.117.187.4:11422
tcp my_public_ip:60040 my_public_ip:60040 69.124.206.138:61657 69.124.206.138:61657
and I haven't made a mistake when masking the IPs. The weird thing is that I see my public IP addres in the second column when I should see there private IP addresses. After clearing the NAT table the connections reappear. The public address is also the one configured on the WAN interface of the router. What can be the cause? I suspect that a worm is generating the traffic. Is the pattern familiar to anyone?
04-12-2011 08:34 PM
hi Biser,
Please add the NAT configuration and "show ver" from the device.
-Dimitar
04-12-2011 10:52 PM
OK.
show version:
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 18-Oct-07 18:01 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
router uptime is 1 day, 13 hours, 58 minutes
System returned to ROM by error - an unknown failure, PC 0x43431814 at 17:47:20 City Mon Apr 11 2011
System restarted at 17:48:46 City Mon Apr 11 2011
System image file is "flash:c2800nm-advipservicesk9-mz.124-9.T6.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.51) with 157696K/104448K bytes of memory.
Processor board ID FHK1031F27B
6 FastEthernet interfaces
2 ISDN Basic Rate interfaces
1 terminal line
2 Virtual Private Network (VPN) Modules
4 Voice FXO interfaces
4 Voice FXS interfaces
1 cisco service engine(s)
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
and the show run:
ip nat translation timeout 30
ip nat translation max-entries 9000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp private_ip_1 22333 interface FastEthernet0/1 22333
ip nat inside source static tcp private_ip_2 80 interface FastEthernet0/1 80
ip nat inside source static tcp private_ip_2 443 interface FastEthernet0/1 443
ip nat inside source static tcp private_ip_3 81 interface FastEthernet0/1 81
ip nat inside source static tcp pirvate_ip_4 22334 interface FastEthernet0/1 22334
ip nat inside source static tcp private_ip_5 3389 interface FastEthernet0/1 3389access-list 1 permit any
if you need anything else - just say.
04-14-2011 11:50 PM
bump.
02-22-2012 08:22 AM
was this issue ever solved? i have a similar issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide