1 Reply Latest reply: Dec 2, 2011 11:07 AM by Conwyn RSS

    Complex NAT, but misses route-map..?

    Stephen

      Hi Guys,

       

      This customer has the most horrid port forwarding I've ever seen on his router lol.  Anyway, the port forwarding issue lies with :10.24.0.102-->77.89.181.59

       

      I've highlighted all the important stuff in red

       

      ip nat inside source static tcp 10.24.0.111 1723 77.89.181.59 1723 extendable

      ip nat inside source static tcp 10.24.0.8 8080 77.89.181.59 8080 extendable

      ip nat inside source static tcp 10.24.0.10 16766 77.89.181.59 16766 extendable

      ip nat inside source static tcp 10.24.0.10 16767 77.89.181.59 16767 extendable

      ip nat inside source static tcp 10.24.0.10 16768 77.89.181.59 16768 extendable

      ip nat inside source static tcp 10.24.0.10 16769 77.89.181.59 16769 extendable

      ip nat inside source static tcp 10.24.0.10 16770 77.89.181.59 16770 extendable

      ip nat inside source static tcp 10.24.0.10 16771 77.89.181.59 16771 extendable

      ip nat inside source static tcp 10.24.0.108 3389 77.89.181.59 42663 extendable

      ip nat inside source static tcp 10.24.0.35 3389 77.89.181.59 42664 extendable

      ip nat inside source static 10.24.0.102 77.89.181.59 route-map portforwarding

       

      route-map portforwarding permit 10

      match ip address 101

       

      Customer#sh access-lists 101

      Extended IP access list 101

          10 deny ip any host 10.24.0.102 fragments

          20 permit udp host 10.24.0.102 any range 7100 7111

          30 permit udp host 10.24.0.102 any range 7300 7311

          40 permit udp host 10.24.0.102 any range 6000 6047

          50 permit udp host 10.24.0.102 any range 8000 8047

          60 permit udp host 10.24.0.102 any range 9000 9047

          70 permit udp host 10.24.0.102 any eq 5060

          80 permit udp host 10.24.0.102 any eq 4010

          90 permit tcp host 10.24.0.102 any eq 4010

       

       

      I now did a test, connecting to 77.89.181.59 on port 200 (which is outside the range of the ports that are forwarded by ACL 101), and as you can see, for some reason it gets translated:

       

      Customer#sh ip nat translations | i 77.89.184.59

      tcp 77.89.181.59:8080  10.24.0.8:8080     ---                ---

      tcp 77.89.181.59:16766 10.24.0.10:16766   ---                ---

      tcp 77.89.181.59:16767 10.24.0.10:16767   ---                ---

      tcp 77.89.181.59:16768 10.24.0.10:16768   ---                ---

      tcp 77.89.181.59:16769 10.24.0.10:16769   ---                ---

      tcp 77.89.181.59:16770 10.24.0.10:16770   ---                ---

      tcp 77.89.181.59:16771 10.24.0.10:16771   ---                ---

      tcp 77.89.181.59:42664 10.24.0.35:3389    ---                ---

      tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52929 69.163.149.200:52929

      tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52932 69.163.149.200:52932

      tcp 77.89.181.59:200   10.24.0.102:200    69.163.149.200:52935 69.163.149.200:52935

      tcp 77.89.181.59:42663 10.24.0.108:3389   ---                ---

      tcp 77.89.181.59:1723  10.24.0.111:1723   ---                ---

      --- 77.89.181.59       10.24.0.102        ---                ---

       

       

       

      Customer#SH ROUTE-MAP

      route-map portforwarding, permit, sequence 10

        Match clauses:

          ip address (access-lists): 101

        Set clauses:

        Policy routing matches: 0 packets, 0 bytes

       

      Customer#sh access-list 101

      Extended IP access list 101

          10 deny ip any host 10.24.0.102 fragments (notice there is 0 hits here for each line)

          20 permit udp host 10.24.0.102 any range 7100 7111(notice there is 0 hits here)

          30 permit udp host 10.24.0.102 any range 7300 7311(notice there is 0 hits here)

          40 permit udp host 10.24.0.102 any range 6000 6047(notice there is 0 hits here)

          50 permit udp host 10.24.0.102 any range 8000 8047(notice there is 0 hits here)

          60 permit udp host 10.24.0.102 any range 9000 9047(notice there is 0 hits here)

          70 permit udp host 10.24.0.102 any eq 5060(notice there is 0 hits here)

          80 permit udp host 10.24.0.102 any eq 4010(notice there is 0 hits here)

          90 permit tcp host 10.24.0.102 any eq 4010(notice there is 0 hits here)

       

       

       

       

      Customer#sh ver

      Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)

      Technical Support: http://www.cisco.com/techsupport

      Copyright (c) 1986-2010 by Cisco Systems, Inc.

      Compiled Fri 29-Oct-10 00:02 by prod_rel_team

      ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

       

       

       

       

      It just looks like the whole IP of  10.24.0.102  ------is-port-forwarded-to-----> 77.89.181.59, and skipping the route map.  Can anyone explain why this is?

       

       

      Regards,

      Stephen