Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IP NAT debugging

Does anyone know what kind of message is this ?

May 16 10:59:49.774: NAT: fo 185, looking for fragment 172.20.0.136 192.168.200.99 42482 17

May 16 11:10:18.716: NAT: fo 185, looking for fragment 172.20.0.136 192.168.200.98 57244 17

May 16 11:10:18.716: NAT: fo 370, looking for fragment 172.20.0.136 192.168.200.98 57244 17

May 16 11:10:20.214: NAT: fo 185, looking for fragment 172.20.0.136 192.168.200.98 57288 17

May 16 11:10:20.214: NAT: fo 370, looking for fragment 172.20.0.136 192.168.200.98 57288 17

May 16 11:10:21.713: NAT: fo 185, looking for fragment 172.20.0.136 192.168.200.98 57302 17

May 16 11:10:21.713: NAT: fo 370, looking for fragment 172.20.0.136 192.168.200.98 57302 17

1 REPLY
Silver

Re: IP NAT debugging

Hi Petronio ,

Traditionally, packet filters like ACLs are applied to the non-fragments and the initial fragment of an IP packet because they contain both Layer 3 and 4 information that the ACLs can match against for a permit or deny decision. Non-initial fragments are traditionally allowed through the ACL because they can be blocked based on Layer 3 information in the packets; however, because these packets do not contain Layer 4 information, they do not match the Layer 4 information in the ACL entry, if it exists. Allowing the non-initial fragments of an IP datagram through is acceptable because the host receiving the fragments is not able to reassemble the original IP datagram without the initial fragment.

Types of ACL Entries

There are six different types of ACL lines, and each has a consequence if a packet does or does not match. In the following list, FO = 0 indicates a non-fragment or an initial fragment in a TCP flow, FO > 0 indicates that the packet is a non-initial fragment, L3 means Layer 3, and L4 means Layer 4.

Note: When there is both Layer 3 and Layer 4 information in the ACL line and the fragments keyword is present, the ACL action is conservative for both permit and deny actions. The actions are conservative because you do not want to accidentally deny a fragmented portion of a flow because the fragments do not contain sufficient information to match all of the filter attributes. In the deny case, instead of denying a non-initial fragment, the next ACL entry is processed. In the permit case, it is assumed that the Layer 4 information in the packet, if available, matches the Layer 4 information in the ACL line.

please checkout the below link for more info..

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800949b8.shtml

Thanks,

satish

807
Views
0
Helpful
1
Replies