Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
1639 Views 1 Reply Latest reply: Dec 2, 2011 11:07 AM by Conwyn RSS

Currently Being Moderated

Complex NAT, but misses route-map..?

Dec 2, 2011 3:18 AM

Stephen 488 posts since
Apr 22, 2011

Hi Guys,

 

This customer has the most horrid port forwarding I've ever seen on his router lol.  Anyway, the port forwarding issue lies with :10.24.0.102-->77.89.181.59

 

I've highlighted all the important stuff in red

 

ip nat inside source static tcp 10.24.0.111 1723 77.89.181.59 1723 extendable

ip nat inside source static tcp 10.24.0.8 8080 77.89.181.59 8080 extendable

ip nat inside source static tcp 10.24.0.10 16766 77.89.181.59 16766 extendable

ip nat inside source static tcp 10.24.0.10 16767 77.89.181.59 16767 extendable

ip nat inside source static tcp 10.24.0.10 16768 77.89.181.59 16768 extendable

ip nat inside source static tcp 10.24.0.10 16769 77.89.181.59 16769 extendable

ip nat inside source static tcp 10.24.0.10 16770 77.89.181.59 16770 extendable

ip nat inside source static tcp 10.24.0.10 16771 77.89.181.59 16771 extendable

ip nat inside source static tcp 10.24.0.108 3389 77.89.181.59 42663 extendable

ip nat inside source static tcp 10.24.0.35 3389 77.89.181.59 42664 extendable

ip nat inside source static 10.24.0.102 77.89.181.59 route-map portforwarding

 

route-map portforwarding permit 10

match ip address 101

 

Customer#sh access-lists 101

Extended IP access list 101

    10 deny ip any host 10.24.0.102 fragments

    20 permit udp host 10.24.0.102 any range 7100 7111

    30 permit udp host 10.24.0.102 any range 7300 7311

    40 permit udp host 10.24.0.102 any range 6000 6047

    50 permit udp host 10.24.0.102 any range 8000 8047

    60 permit udp host 10.24.0.102 any range 9000 9047

    70 permit udp host 10.24.0.102 any eq 5060

    80 permit udp host 10.24.0.102 any eq 4010

    90 permit tcp host 10.24.0.102 any eq 4010

 

 

I now did a test, connecting to 77.89.181.59 on port 200 (which is outside the range of the ports that are forwarded by ACL 101), and as you can see, for some reason it gets translated:

 

Customer#sh ip nat translations | i 77.89.184.59

tcp 77.89.181.59:8080  10.24.0.8:8080     ---                ---

tcp 77.89.181.59:16766 10.24.0.10:16766   ---                ---

tcp 77.89.181.59:16767 10.24.0.10:16767   ---                ---

tcp 77.89.181.59:16768 10.24.0.10:16768   ---                ---

tcp 77.89.181.59:16769 10.24.0.10:16769   ---                ---

tcp 77.89.181.59:16770 10.24.0.10:16770   ---                ---

tcp 77.89.181.59:16771 10.24.0.10:16771   ---                ---

tcp 77.89.181.59:42664 10.24.0.35:3389    ---                ---

tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52929 69.163.149.200:52929

tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52932 69.163.149.200:52932

tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52935 69.163.149.200:52935

tcp 77.89.181.59:42663 10.24.0.108:3389   ---                ---

tcp 77.89.181.59:1723  10.24.0.111:1723   ---                ---

--- 77.89.181.59       10.24.0.102        ---                ---

 

 

 

Customer#SH ROUTE-MAP

route-map portforwarding, permit, sequence 10

  Match clauses:

    ip address (access-lists): 101

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

 

Customer#sh access-list 101

Extended IP access list 101

    10 deny ip any host 10.24.0.102 fragments (notice there is 0 hits here for each line)

    20 permit udp host 10.24.0.102 any range 7100 7111(notice there is 0 hits here)

    30 permit udp host 10.24.0.102 any range 7300 7311(notice there is 0 hits here)

    40 permit udp host 10.24.0.102 any range 6000 6047(notice there is 0 hits here)

    50 permit udp host 10.24.0.102 any range 8000 8047(notice there is 0 hits here)

    60 permit udp host 10.24.0.102 any range 9000 9047(notice there is 0 hits here)

    70 permit udp host 10.24.0.102 any eq 5060(notice there is 0 hits here)

    80 permit udp host 10.24.0.102 any eq 4010(notice there is 0 hits here)

    90 permit tcp host 10.24.0.102 any eq 4010(notice there is 0 hits here)

 

 

 

 

Customer#sh ver

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Fri 29-Oct-10 00:02 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

 

 

 

 

It just looks like the whole IP of  10.24.0.102  ------is-port-forwarded-to-----> 77.89.181.59, and skipping the route map.  Can anyone explain why this is?

 

 

Regards,

Stephen

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)