Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Help with Static UDP PAT on 2901/K9

Good day,

 

I am having trouble setting up a PAT rule for a UDP based service on our 2901/K9. I have a server that presents its services on ports 9090 TCP and 9090 UDP. It works fine within the network, but outside the network I cannot get the UDP side working. Not sure what is tripping this up.. On our ASa I would use Packet Tracer to help find the issue, but since the 2901 does not have that I have not been able to find the issue 

The applicable rules look like this (below), and the tcp related rules are working but the udp ones do not seem to be working at all..

 

ip nat inside source static tcp <PRIVATE IP> 9090 <PUBLIC IP> 9090 extendable

ip nat inside source static udp <PRIVATE IP> 9090 <PUBLIC IP> 9090 extendable

 

ip access-list extended INFILTER
permit tcp any host <PUBLIC IP> eq 9090

permit udp any host <PUBLIC IP> eq 9090

 

ip access-list extended OUTFILTER
permit tcp any any

permit udp any any

 

The firewall app is in use with the default UDP and TCP inspection filter (along with dns rtsp etc), but I don't think there is anything in the inspections tied to this specific udp port.

 

Any help would be appreciated !

 

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Wish I had a router running

Wish I had a router running IOS doing NAT right now... Sigh.

- 'show access-list'

- 'show ip nat translations'

8 REPLIES
Community Member

Hi Dave,Your NAT looks good. 

Hi Dave,

Your NAT looks good.  Can you post any debugs of the UDP NAT or show command output from your ACLs or NAT hits?

Community Member

Hello Jefe,It´s a prduction

Hello Jefe,

It´s a prduction router(24/7) so I hesitate to run debugs on it..  Not sure how to see the ACL or NAT hits, would definitely appreciate pointers on that.

Community Member

Wish I had a router running

Wish I had a router running IOS doing NAT right now... Sigh.

- 'show access-list'

- 'show ip nat translations'

Community Member

Jefe.. Below is the output.

Jefe..

 

Below is the output. Nothing leaps out other than the complete lack of hits.

(and my redundant items on the outbound list)

show access-list (sanitized and only showing this IP)

Extended IP access list INFILTER
    50 permit icmp any any (524 matches)
    240 permit tcp any host <Host Public IP> eq www (137238 matches)
    250 permit tcp any host <Host Public IP> eq 3389 (837752 matches)
    280 permit tcp any eq 443 host <Host Public IP> eq 443
    390 permit tcp any host <Host Public IP> eq www (22259 matches)
    460 permit tcp any host <Host Public IP> eq 9090
    470 permit tcp any host <Host Public IP> eq 5060
    480 permit udp any host <Host Public IP> eq 5060 (4 matches)
    490 permit udp any host <Host Public IP> eq 9090

Extended IP access list NAT
    10 permit ip 192.168.0.0 0.0.0.255 any (31425 matches)

Extended IP access list OUTFILTER
    10 permit ip any any (739803 matches)
    20 permit tcp any any
    30 permit udp host 192.168.0.104 any
    40 permit udp host 192.168.0.100 any
    50 permit udp any any

 

sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global
tcp <Host Public IP>:80 192.168.0.104:80   164.77.39.167:50025 164.77.39.167:50025
tcp <Host Public IP>:80 192.168.0.104:80   164.77.39.167:50026 164.77.39.167:50026
tcp <Host Public IP>:80 192.168.0.104:80   164.77.39.167:50027 164.77.39.167:50027
tcp <Host Public IP>:80 192.168.0.104:80   165.182.186.131:51844 165.182.186.131:51844
tcp <Host Public IP>:80 192.168.0.104:80   165.182.186.131:62163 165.182.186.131:62163
tcp <Host Public IP>:80 192.168.0.104:80   ---                ---
tcp <Host Public IP>:5060 192.168.0.104:5060 ---              ---
udp <Host Public IP>:5060 192.168.0.104:5060 ---              ---
tcp <Host Public IP>:9090 192.168.0.104:9090 ---              ---
udp <Host Public IP>:9090 192.168.0.104:9090 ---              ---
tcp <Host Public IP>:3460 192.168.0.106:3460 ---              ---

 

Other 

Community Member

I noticed your in the 400+

I noticed your in the 400+ range with your INFILTER ACL - any chance this is an order of operations issue.  For example, are you hitting another rule lower in the ACL.

Community Member

I Don't think so..  The

I Don't think so..  

The others are all specific to the public IPs and they are solely permits so they should not apply to this particular IP/Port. There are no other UDP rules other than for port 53 on the other hosts.

I am going to check if our provider has any upstream UDP filters in place, I cannot account for this so far. Do you know of any global settings that would affect only UDP (I don't remember any in this router, but I'm looking through the config again now).

 

Dave

Cisco Employee

Hello Dave,What kind of

Hello Dave,

What kind of application are you using? It might be the NAT ALG dropping this connection.

In other cases ISPs tend to block certain ports, have you checked with them and make sure you can get to that port from the outside world?

Regards,

Alex Sanchez

CCIE R&S #37454

Community Member

Hi Alex and Jefe,Found the

Hi Alex and Jefe,

Found the problem. It was a combination of an external filter (switched the UDP port of App), and a split DNS issue sending external users to a different IP. The first only clobbered UDP, the second clobbered all external access.

Went through everything one step at a time last night and found both issues.

Jefe- thanks for suggesting looking at access-list hits it was the zero count on the TCP nat that made me look at DNS, even with UDP issues the DNS should have matched the hits on UDP.

Even though it wasn't the 'precise' issue I am marking your response as correct because it pointed me in the right direction.

Thanks to both of you for your help !

 

Dave

 

123
Views
3
Helpful
8
Replies
CreatePlease to create content