Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT / PAT question

Hi all,

I own a Catalyst 6506 which is running IOS 12.2. I configured PAT to NAT several internal addresses to one external address. According to the document "Cisco IOS Network Address Translation Overview" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml), "PAT will attempt to preserve the original source port (...)". Here is my question : looking at the logs, I notice that PAT always change the source port, even if it wasn't allocated. Moreover, I have only one test machine on this network. The logs always look like : "wanted 32838 got 1027..., wanted 32839 got 1028...".

Does anyone know why PAT doesn't keep the source port ? Is something missing in my configuration ?

Besides, is it possible to change the pool of ports used for translation ? For instance, is it possible to start from port 1050 rather than 1024 default value ?

Thanks for your help.

7 REPLIES
New Member

Re: NAT / PAT question

Hi,

I believe there is nothing wrong with your configuration.

The way PAT works is very simple.I'll take a Pix as a reference device.

A computer make an outside request, when it gets to the Pix the Pix stores the computer's IP address and source port (which is the application port e.g smtp -- 25) in a NAT table. At that point, the Pix assign an available port number (by the way, it can't be change) from the port pool as well as the outside IP address. This information is also stored in the NAT table. When the request comes back, the Pix search the NAT table to find the source port and IP address of the host that made the request associated with the port and outside IP address (assign by the Pix) and then sends the packet to the specific host.

Take a look at this link for more information:

http://en.wikipedia.org/wiki/Port_address_translation

Let me know if it helps.

New Member

Re: NAT / PAT question

Hi,

Thanks for your response and for your help. I own a Pix too. It works fine. It changes the source port to a port belonging to the port pool.

But, the Catalyst 6506 doesn't behave as it should. Into the logs, I see that :

(...) wanted 32838 got 1027 (...)

Allocated Port for xxx.235.225.25 -> xxx.xxx.84.225: wanted 32840 got 1024

i: tcp (xxx.235.225.25, 32840) -> (xxx.2.0.36, 21) [27171]

created edit_context (xxx.235.225.25,32840) -> (xxx.2.0.36,21)

TCP s=32840->1024, d=21

where xxx.xxx.84.225 is my NAT address.

So, Catalyst 6506 tries to keep the source port but it fails. As I look the translation table (show ip nat translation), I see that the source port isn't allocated, so why the Catalyst didn't keep it.

My big issue is that there's an ACL on a router above my own router. I can't change this ACL which denies any request to tcp port 1025. So, as long as the Catalyst 6506 will NAT on this port, my users won't be able to access to the Internet.

That's the reason why I do need to find a workaround.

Thanks for helping.

Re: NAT / PAT question

Hi,

Im Not sure about the preservation of orginal Source Port in PAT ip address. As per the URL you have provided it seems that it should..

However we can work on the problem mentioned by you regarding the ACL on the router..

What is the ACL? is it blocking inbound access to port 1025 or outbound access to Port 1025..

If it is blocking oubound access to port 1025,then there shouldn't be any problem, Because PAT is not going to change the destination port for the outbound packet originated from your inside network. It only changes the Source port and source ip in order to do the PAT translation.

(Assuming that no body from inside will be accessing a non standard port on ouside network).

HTH

-VJ

New Member

Re: NAT / PAT question

Hi vijayasankar,

Thanks four you help.

The ACL blocks returning packets to tcp port 1025.

For instance, I try to connect to a remote site. Catalyst 6506 NATs my internal address on the global address at tcp port 1025 (xxx.xxx.84.225:1025).

The remote site receives my resquest. When it sends back data, it contacts xxx.xxx.84.225:1025. Unfortunately, the ACL on the campus router denies any tcp packet to port 1025. So, I never receive the response of the remote site and I can't connect to it.

I have two options :

- to understand why PAT doesn't work as it should according to the URL I mentionned.

- to configure the Catalyst to NAT to ports greater than 1025.

Thierry.

Re: NAT / PAT question

Hi Thierry,

Thanks for the update.

Im not sure on the PAT behavior on preserving the source port and why it is not working like that.

Im afraid that in this case you need to modify the ACL in the campus router.

I just checked and came to know that TCP 1025 is used for Microsoft RPC service. Hence to protect any incoming attacks on this RCP service, someone might have configured this ACL in your CAMPUS router.

If it going to block the incoming requests on TCP 1025, better to modify the ACL so that it excludes the PAT ip address in this ACL and block for all other ip address for TCP 1025.

HTH

-VJ

New Member

Re: NAT / PAT question

Hi,

Indeed, tcp port 1025 is used by Microsoft RPC service. This port was previously blocked on the campus router because of the Dasher virus.

It will be difficult to negotiate and to obtain that this ACL excludes our network. If it is possible, we will be able to set our own policy. As you said, we will exclude the PAT ip address.

Many thanks for your help. I've contacted Cisco Tech Support. I'll keep you in touch about the behavior of the IOS NAT support.

Thierry.

New Member

Re: NAT / PAT question

-

223
Views
0
Helpful
7
Replies
CreatePlease login to create content