Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
4
Replies

Strange NAT translation entries.

bisermilanov
Level 1
Level 1

‎04-12-2011 02:16 PM - edited ‎03-06-2019 04:35 PM

Hello, friends.

I have recently noticed this when I issue the "sh ip nat trans" command:

Pro Inside global         Inside local          Outside local         Outside global
icmp my_public_ip:14743   my_public_ip:14743    69.63.179.125:14743   69.63.179.125:14743
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47517     58.1.251.89:47517
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47521     58.1.251.89:47521
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47527     58.1.251.89:47527
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47609     58.1.251.89:47609
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47616     58.1.251.89:47616
tcp my_public_ip:30796    my_public_ip:30796    58.1.251.89:47618     58.1.251.89:47618
tcp my_public_ip:30796    my_public_ip:30796    69.124.206.138:61791  69.124.206.138:61791
tcp my_public_ip:30796    my_public_ip:30796    83.4.197.107:53533    83.4.197.107:53533
tcp my_public_ip:30796    my_public_ip:30796    85.187.224.86:63145   85.187.224.86:63145
tcp my_public_ip:30796    my_public_ip:30796    85.187.224.86:63148   85.187.224.86:63148
tcp my_public_ip:30796    my_public_ip:30796    94.73.42.24:27697     94.73.42.24:27697
tcp my_public_ip:30796    my_public_ip:30796    95.87.199.13:57486    95.87.199.13:57486
tcp my_public_ip:30796    my_public_ip:30796    122.31.247.184:4756   122.31.247.184:4756
tcp my_public_ip:30796    my_public_ip:30796    122.122.146.45:2284   122.122.146.45:2284
tcp my_public_ip:30796    my_public_ip:30796    125.54.147.145:51824  125.54.147.145:51824
tcp my_public_ip:30796    my_public_ip:30796    125.54.147.145:52043  125.54.147.145:52043
udp my_public_ip:30796    my_public_ip:30796    79.113.189.78:27135   79.113.189.78:27135
udp my_public_ip:30796    my_public_ip:30796    79.186.53.150:40639   79.186.53.150:40639
udp my_public_ip:30796    my_public_ip:30796    92.205.46.6:24006     92.205.46.6:24006
udp my_public_ip:30796    my_public_ip:30796    118.44.46.81:24845    118.44.46.81:24845
udp my_public_ip:30796    my_public_ip:30796    125.165.17.87:10006   125.165.17.87:10006
tcp my_public_ip:38097    my_public_ip:38097    79.100.85.103:3022    79.100.85.103:3022
udp my_public_ip:42915    my_public_ip:42915    212.21.137.246:50809  212.21.137.246:50809
tcp my_public_ip:50138    my_public_ip:50138    110.66.1.59:54475     110.66.1.59:54475
tcp my_public_ip:51411    my_public_ip:51411    78.90.249.91:61693    78.90.249.91:61693
tcp my_public_ip:54577    my_public_ip:54577    1.36.80.103:65448     1.36.80.103:65448
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47519     58.1.251.89:47519
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47524     58.1.251.89:47524
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47530     58.1.251.89:47530
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47603     58.1.251.89:47603
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47608     58.1.251.89:47608
tcp my_public_ip:54577    my_public_ip:54577    58.1.251.89:47614     58.1.251.89:47614
tcp my_public_ip:54577    my_public_ip:54577    77.35.182.106:62961   77.35.182.106:62961
tcp my_public_ip:54577    my_public_ip:54577    83.4.197.107:53697    83.4.197.107:53697
tcp my_public_ip:54577    my_public_ip:54577    85.187.224.86:63144   85.187.224.86:63144
tcp my_public_ip:54577    my_public_ip:54577    85.187.224.86:63147   85.187.224.86:63147
tcp my_public_ip:54577    my_public_ip:54577    94.73.42.24:41475     94.73.42.24:41475
tcp my_public_ip:54577    my_public_ip:54577    94.208.30.218:49193   94.208.30.218:49193
tcp my_public_ip:54577    my_public_ip:54577    95.87.199.13:57489    95.87.199.13:57489
tcp my_public_ip:54577    my_public_ip:54577    110.33.171.85:55136   110.33.171.85:55136
tcp my_public_ip:54577    my_public_ip:54577    122.31.247.184:4737   122.31.247.184:4737
tcp my_public_ip:54577    my_public_ip:54577    125.54.147.145:51925  125.54.147.145:51925
tcp my_public_ip:54577    my_public_ip:54577    175.140.16.140:57174  175.140.16.140:57174
tcp my_public_ip:54577    my_public_ip:54577    180.11.220.118:53039  180.11.220.118:53039
tcp my_public_ip:54577    my_public_ip:54577    212.25.57.71:1395     212.25.57.71:1395
tcp my_public_ip:54577    my_public_ip:54577    219.33.114.54:64597   219.33.114.54:64597
tcp my_public_ip:54577    my_public_ip:54577    220.255.185.218:2682  220.255.185.218:2682
udp my_public_ip:54577    my_public_ip:54577    77.35.182.106:19246   77.35.182.106:19246
udp my_public_ip:54577    my_public_ip:54577    82.160.125.12:58936   82.160.125.12:58936
udp my_public_ip:54577    my_public_ip:54577    82.160.125.12:59905   82.160.125.12:59905
udp my_public_ip:54577    my_public_ip:54577    89.200.144.13:45848   89.200.144.13:45848
udp my_public_ip:54577    my_public_ip:54577    95.30.147.110:24359   95.30.147.110:24359
udp my_public_ip:54577    my_public_ip:54577    219.117.187.4:11422   219.117.187.4:11422
tcp my_public_ip:60040    my_public_ip:60040    69.124.206.138:61657  69.124.206.138:61657


and I haven't made a mistake when masking the IPs. The weird thing is that I see my public IP addres in the second column when I should see there private IP addresses. After clearing the NAT table the connections reappear. The public address is also the one configured on the WAN interface of the router. What can be the cause? I suspect that a worm is generating the traffic. Is the pattern familiar to anyone?

Labels:
0 Helpful
4 Replies 4

dhristov
Cisco Employee
Cisco Employee

‎04-12-2011 08:34 PM

hi Biser,

Please add the NAT configuration and "show ver" from the device.

-Dimitar

0 Helpful

bisermilanov
Level 1
Level 1
In response to dhristov

‎04-12-2011 10:52 PM

OK.

show version:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 18-Oct-07 18:01 by prod_rel_team

ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

router uptime is 1 day, 13 hours, 58 minutes
System returned to ROM by error - an unknown failure, PC 0x43431814 at 17:47:20 City Mon Apr 11 2011
System restarted at 17:48:46 City Mon Apr 11 2011
System image file is "flash:c2800nm-advipservicesk9-mz.124-9.T6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.51) with 157696K/104448K bytes of memory.
Processor board ID FHK1031F27B
6 FastEthernet interfaces
2 ISDN Basic Rate interfaces
1 terminal line
2 Virtual Private Network (VPN) Modules
4 Voice FXO interfaces
4 Voice FXS interfaces
1 cisco service engine(s)
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

and the show run:

ip nat translation timeout 30
ip nat translation max-entries 9000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp private_ip_1 22333 interface FastEthernet0/1 22333
ip nat inside source static tcp private_ip_2 80 interface FastEthernet0/1 80
ip nat inside source static tcp private_ip_2 443 interface FastEthernet0/1 443
ip nat inside source static tcp private_ip_3 81 interface FastEthernet0/1 81
ip nat inside source static tcp pirvate_ip_4 22334 interface FastEthernet0/1 22334
ip nat inside source static tcp private_ip_5 3389 interface FastEthernet0/1 3389
access-list 1 permit any

if you need anything else - just say.

0 Helpful

bisermilanov
Level 1
Level 1

‎04-14-2011 11:50 PM

bump.

0 Helpful

ghagopian
Level 1
Level 1

‎02-22-2012 08:22 AM

was this issue ever solved? i have a similar issue

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card