NAT - Locally originated traffic

From: Danshtr (danshtr@gmail.com)
Date: Thu Jul 21 2005 - 04:51:25 GMT-3

• Next message: richard.harvey@nbs.nhs.uk: "RE: Preventing routing loops in this BGP situation"
• Previous message: Jian Gu: "Re: Preventing routing loops in this BGP situation"
• Next in thread: Danshtr: "Re: NAT - Locally originated traffic"
• Maybe reply: Danshtr: "Re: NAT - Locally originated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

Have somthing changed in NAT recently? IOS 12.4?

If I configure NAT, and I try to ssh to the interface with "ip nat
outside", the routers tries to nat the reply's.

I have defined a log on the NAT acl, and If I try to initiate a
session to the router (ssh to 194.72.XXX.18) i get:

*Jul 21 08:18:57.489: %SEC-6-IPACCESSLOGP: list acNAT denied tcp
194.72.XXX.18(22) -> XXX.178.175.XXX(2225), 203 packets

WHY the router decised to do NAT for the SSH session???

The config:

------------------------------------------------------------------------------------------------

!
interface Loopback0
 ip address 10.1.2.3 255.255.255.255
!
interface Ethernet0/0
description TO LOCAL LAN
 ip address 10.1.0.9 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 full-duplex
!
interface FastEthernet0/0
description TO INTERNET
 bandwidth 512
 ip address 194.72.XXX.18 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 speed auto
 crypto map cmINT
 service-policy output pm512K
!

!
ip nat pool POOL_NAT 194.72.XXX.19 194.72.XXX.20 prefix-length 24
ip nat inside source list acNAT pool POOL_NAT overload

!without that the isakmp won work!!

ip nat inside source static udp 194.72.XXX.18 500 194.72.XXX.18 500 extendable
ip nat inside source static udp 194.72.XXX.18 4500 194.72.XXX.18 4500 extendable

!dirty access to a device behinf the router
ip nat inside source static tcp 10.1.0.10 22 194.72.XXX.21 9999 extendable
!
!
!
ip access-list extended acNAT
 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny tcp any eq 22 any log-input
 deny ip host 193.72.XXX.18 host 199.203.168.1
 deny udp host 194.72.XXX.18 eq isakmp host 199.203.168.1 eq isakmp
 deny udp host 194.72.XXX.18 eq non500-isakmp host 199.203.168.1 eq
non500-isakmp
 
 deny udp host 194.72.XXX.18 eq isakmp any eq isakmp
 deny udp host 194.72.XXX.18 eq non500-isakmp any eq non500-isakmp
 permit ip any any
------------------------------------------------------------------------------------------------

-- 
Best regards,
Dan

• Next message: richard.harvey@nbs.nhs.uk: "RE: Preventing routing loops in this BGP situation"
• Previous message: Jian Gu: "Re: Preventing routing loops in this BGP situation"
• Next in thread: Danshtr: "Re: NAT - Locally originated traffic"
• Maybe reply: Danshtr: "Re: NAT - Locally originated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3