I own a Catalyst 6506 which is running IOS 12.2. I configured PAT to NAT several internal addresses to one external address. According to the document "Cisco IOS Network Address Translation Overview" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091cb9.shtml), "PAT will attempt to preserve the original source port (...)". Here is my question : looking at the logs, I notice that PAT always change the source port, even if it wasn't allocated. Moreover, I have only one test machine on this network. The logs always look like : "wanted 32838 got 1027..., wanted 32839 got 1028...".
Does anyone know why PAT doesn't keep the source port ? Is something missing in my configuration ?
Besides, is it possible to change the pool of ports used for translation ? For instance, is it possible to start from port 1050 rather than 1024 default value ?
I believe there is nothing wrong with your configuration.
The way PAT works is very simple.I'll take a Pix as a reference device.
A computer make an outside request, when it gets to the Pix the Pix stores the computer's IP address and source port (which is the application port e.g smtp -- 25) in a NAT table. At that point, the Pix assign an available port number (by the way, it can't be change) from the port pool as well as the outside IP address. This information is also stored in the NAT table. When the request comes back, the Pix search the NAT table to find the source port and IP address of the host that made the request associated with the port and outside IP address (assign by the Pix) and then sends the packet to the specific host.
created edit_context (xxx.235.225.25,32840) -> (xxx.2.0.36,21)
TCP s=32840->1024, d=21
where xxx.xxx.84.225 is my NAT address.
So, Catalyst 6506 tries to keep the source port but it fails. As I look the translation table (show ip nat translation), I see that the source port isn't allocated, so why the Catalyst didn't keep it.
My big issue is that there's an ACL on a router above my own router. I can't change this ACL which denies any request to tcp port 1025. So, as long as the Catalyst 6506 will NAT on this port, my users won't be able to access to the Internet.
That's the reason why I do need to find a workaround.
Im Not sure about the preservation of orginal Source Port in PAT ip address. As per the URL you have provided it seems that it should..
However we can work on the problem mentioned by you regarding the ACL on the router..
What is the ACL? is it blocking inbound access to port 1025 or outbound access to Port 1025..
If it is blocking oubound access to port 1025,then there shouldn't be any problem, Because PAT is not going to change the destination port for the outbound packet originated from your inside network. It only changes the Source port and source ip in order to do the PAT translation.
(Assuming that no body from inside will be accessing a non standard port on ouside network).
The ACL blocks returning packets to tcp port 1025.
For instance, I try to connect to a remote site. Catalyst 6506 NATs my internal address on the global address at tcp port 1025 (xxx.xxx.84.225:1025).
The remote site receives my resquest. When it sends back data, it contacts xxx.xxx.84.225:1025. Unfortunately, the ACL on the campus router denies any tcp packet to port 1025. So, I never receive the response of the remote site and I can't connect to it.
I have two options :
- to understand why PAT doesn't work as it should according to the URL I mentionned.
- to configure the Catalyst to NAT to ports greater than 1025.
Im not sure on the PAT behavior on preserving the source port and why it is not working like that.
Im afraid that in this case you need to modify the ACL in the campus router.
I just checked and came to know that TCP 1025 is used for Microsoft RPC service. Hence to protect any incoming attacks on this RCP service, someone might have configured this ACL in your CAMPUS router.
If it going to block the incoming requests on TCP 1025, better to modify the ACL so that it excludes the PAT ip address in this ACL and block for all other ip address for TCP 1025.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...