1. Home
  2. Cisco Systems
  3. packet showing up on port 0 when I telnet to port 80?

packet showing up on port 0 when I telnet to port 80?

I have a GNS3 LAB with 3 routers.

I am trying to do a reversible NAT for several thousands of ports to the server. (R1) for this purpose. I try to telnet from R3 to R1 on any port (lets say 80 in this instance), I have an ACL (outside-in) set up on the interface of R2 to log the traffic. and I see that a packet goes through on port "0"

Why do we have a packet showing up on port 0 when I telnet to port 80? ! ! R2#ip nat inside source static 1.1.1.1 63.175.69.29 route-map inbound reversible route-map inbound permit 10 match ip address nat ! route-map inbound deny 20 ! ip access-list extended nat permit tcp any eq www any permit tcp any range 60000 64999 any log deny tcp any any log ! ! R3# telnet 63.175.69.29 80 !(unless the ACL has permit any any, I get rejected, (Below)) R2#

*Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet R2# R2# *Mar 1 01:48:26.051: NAT(acl): name nat failed

When coming from inside, the nat works, and the first packet shows the correct port. R2#*Mar 1 00:57:02.879: %SEC-6-IPACCESSLOGP: list nat permitted tcp

1.1.1.1(61804) -> 3.3.3.3(80), 1 packet

When coming from outside, the nat doesn't work, I think because The first packet shows the incorrect port (0). R3#telnet 63.175.69.29 80 /source Loopback0 R2(config-ext-nacl)#*Mar 1 00:49:32.051: %SEC-6-IPACCESSLOGP: list nat permitted tcp 1.1.1.1(0) -> 3.3.3.3(0), 1 packet

Thanks, Crzzy1

Reply to
Chris Roberts
Loading thread data ...

You haven't shown us what ACL outside-in is, but if it doesn't look at port numbers itself, you won't get the information in the log message.

IOS isn't going to waste time collecting stuff you've already told it you aren't interested in.

Reply to
Martin Gallagher

That is right. To resolve this, put something like this:

deny tcp any any eq 1 log

before the

deny tcp any any log

Reply to
Rob

Here is the acl. (it is on the ouside interface) and logs any TCP ports. That is why it logged that there is a packet coming in on port

  2. ip access-list extended outside-in permit tcp any any log permit ip any any log

*Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet

There are no packets coming in on port 1, so I am curious why you think that will help. My question is when telneting from the outside to port 80, I am seeing a packet come in on port 0, then seeing a packet on port 80.

Thanks,

Reply to
Chris Roberts

Just try it and you will see.

Because, just like the other poster said, as long as you don't refer to a port number anywhere in your ACL, the router will not extract the port number from the packet and it will log the zero value.

Reply to
Rob

I tried it, still the acl at the interface registers a tcp port 0. (not 1) Then when it hits the NAT ACL, it gets rejected.

(I am suspecting that the port 0 issue is not the problem, but I don't understand why the "nat" ACL is getting hit twice for each time I try.

Once on the permit Once on the end deny statement .

R2#sh access-l nat Extended IP access list nat 10 permit tcp any eq www any (1 match) 20 permit tcp any range 60000 64999 any log (3 matches) 30 deny tcp any any eq 1 log 40 deny tcp any any log (6 matches)

R2#

*Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted tcp 23.23.23.24(65108) -> 63.175.69.29(80), 1 packet R2# *Mar 1 00:21:42.099: NAT(acl): name nat failed *Mar 1 00:21:42.099: NAT: Matches reverse map inbound (deny) *Mar 1 00:21:42.107: NAT: map match inbound *Mar 1 00:22:07.507: %SEC-6-IPACCESSLOGP: list nat denied tcp 10.1.1.95(0) -> 23.23.23.24(0), 1 packet
Reply to
Chris Roberts

You should NOT be using log on an ACL used for NAT.

NAT works in the CEF/fast path and ACL logging punts packets to process. It tends to break NAT.

Take the logging off and use the NAT debugs to see what NAT is doing.

Here you are seeing the port numbers at the interface ACL.

Reply to
Martin Gallagher

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.