sh ip nat translations

Unanswered Question
Jun 14th, 2007
User Badges:


When I action show ip nat translations on our gateway router, it comes up with an Inside Local IP Address that does not belong to out local network. See attached. does not belong to any of our user, static route (we don't use dynamic protocol) nor this is a configure interface on the router.

Is there a way I can trace which VLAN this IP is coming from because before this network was flooding out NAT pool and I had to deny ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Thu, 06/14/2007 - 19:59
User Badges:
  • Red, 2250 points or more


The best way and also as you desire in dealing with this would be tweaking the access-list attached to the NAT statement..

Do deny the ip block which is not required to access the pool and permit the remaining blocks..


anandramapathy Thu, 06/14/2007 - 20:05
User Badges:
  • Bronze, 100 points or more

Try putting a sniffer onto the Router inside VLAN & do a capture. You will ge more info

What have you defined for your Inside pool ?

Is it ?

I suggest that you define only your internal networks. By this the router will NAT only the required IPs from your LAN.

Peter Valdes Thu, 06/14/2007 - 22:01
User Badges:

Thanks for the replies.

The NAL pool is now secure with only specific network addresses permitted to use the NAT.

Apart from we use the rest of the network.


deny ip any

permit ip any

Although, I would still like to know where is network is coming from and how this unknown user got to use out Internet without have any connected interface to that specific /24 block.

anandramapathy Thu, 06/14/2007 - 22:17
User Badges:
  • Bronze, 100 points or more

if there is a single subnet in your office, try assigning a static IP from that pool & then try to ping that machine with the command

ping -a 192.168.1.X

it should resolve tho hostname if it is a windows machine

If there are multiple VLANs try putting ethereal randomly in the VLANs & see where the packet for 192.168.1.x is coming from

HTH please rate all useful posts

Peter Valdes Sun, 06/17/2007 - 21:12
User Badges:


The network 192.168.1.x/24 does not exist in our local network but is still showing up as inside local.

--- --- ---


--- --- ---

--- --- ---

--- --- ---


--- --- ---

After reading some of the logs, I think but not 100% sure, this is TCP SYN Flooding Attacks. It has the same symptoms describe in the Cisco doco "target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It is also possible for the traffic that returns from the target host to cause trouble on routers"

Any ideas?


Timor_SSS Mon, 06/18/2007 - 01:18
User Badges:

This is an obvious configuration issue.

Please post the running-config. If you're concerned about security, change your WAN IPs.




This Discussion