Re: NAT - Locally originated traffic

From: Danshtr (danshtr@gmail.com)
Date: Thu Jul 21 2005 - 08:32:21 GMT-3

• Next message: ccie2be: "RE: OSPF: Remember old DR 2.1.1.10 (id) ... why ?"
• Previous message: Schulz, Dave: "RE: Preventing routing loops in this BGP situation"
• Maybe in reply to: Danshtr: "NAT - Locally originated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think I found the solution.

IOS does not support "permit ip any any" with NAT

On 7/21/05, Danshtr <danshtr@gmail.com> wrote:
> Hello,
>
> Have somthing changed in NAT recently? IOS 12.4?
>
> If I configure NAT, and I try to ssh to the interface with "ip nat
> outside", the routers tries to nat the reply's.
>
> I have defined a log on the NAT acl, and If I try to initiate a
> session to the router (ssh to 194.72.XXX.18) i get:
>
> *Jul 21 08:18:57.489: %SEC-6-IPACCESSLOGP: list acNAT denied tcp
> 194.72.XXX.18(22) -> XXX.178.175.XXX(2225), 203 packets
>
>
> WHY the router decised to do NAT for the SSH session???
>
>
> The config:
>
> ------------------------------------------------------------------------------------------------
>
> !
> interface Loopback0
> ip address 10.1.2.3 255.255.255.255
> !
> interface Ethernet0/0
> description TO LOCAL LAN
> ip address 10.1.0.9 255.255.255.252
> ip nat inside
> ip virtual-reassembly
> full-duplex
> !
> interface FastEthernet0/0
> description TO INTERNET
> bandwidth 512
> ip address 194.72.XXX.18 255.255.255.240
> ip nat outside
> ip virtual-reassembly
> load-interval 30
> speed auto
> crypto map cmINT
> service-policy output pm512K
> !
>
>
> !
> ip nat pool POOL_NAT 194.72.XXX.19 194.72.XXX.20 prefix-length 24
> ip nat inside source list acNAT pool POOL_NAT overload
>
>
> !without that the isakmp won work!!
>
> ip nat inside source static udp 194.72.XXX.18 500 194.72.XXX.18 500 extendable
> ip nat inside source static udp 194.72.XXX.18 4500 194.72.XXX.18 4500 extendable
>
> !dirty access to a device behinf the router
> ip nat inside source static tcp 10.1.0.10 22 194.72.XXX.21 9999 extendable
> !
> !
> !
> ip access-list extended acNAT
> deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
> deny tcp any eq 22 any log-input
> deny ip host 193.72.XXX.18 host 199.203.168.1
> deny udp host 194.72.XXX.18 eq isakmp host 199.203.168.1 eq isakmp
> deny udp host 194.72.XXX.18 eq non500-isakmp host 199.203.168.1 eq
> non500-isakmp
>
> deny udp host 194.72.XXX.18 eq isakmp any eq isakmp
> deny udp host 194.72.XXX.18 eq non500-isakmp any eq non500-isakmp
> permit ip any any
> ------------------------------------------------------------------------------------------------
>
>
> --
>
>
> Best regards,
> Dan
>

-- 
Best regards,
Dan

• Next message: ccie2be: "RE: OSPF: Remember old DR 2.1.1.10 (id) ... why ?"
• Previous message: Schulz, Dave: "RE: Preventing routing loops in this BGP situation"
• Maybe in reply to: Danshtr: "NAT - Locally originated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3