Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   UDP source ports using PAT (NAT overload) (http://www.velocityreviews.com/forums/t34879-udp-source-ports-using-pat-nat-overload.html)

Greg Grimes 08-10-2004 12:40 AM

UDP source ports using PAT (NAT overload)
 
Hi Everyone,

I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
the ethernet interfaces is setup to use NAT. The problem is that my
company is writing a small application that uses UDP. The app uses a
single, specific source port address and calls a specific, static port
number at one remote address. The problem is that the external
interface of the router opens the exact same port number on the
external interface for each connection rather than opening a random
one. This causes the obvious problems with socket identification at
the other end and scuttles communication.

Does anyone have an idea of how I could get the router to function the
way that I believe it is supposed to by default?

Thanks,

Greg

Greg Grimes 08-10-2004 04:31 PM

Re: UDP source ports using PAT (NAT overload)
 
One mistake below. The client app uses a random port number, but
multiple clients will often end up using the same source port number.
This is when we run into problems.

gabrielshorn@hotmail.com (Greg Grimes) wrote in message news:<1a21c427.0408091640.23f3b1bc@posting.google. com>...
> Hi Everyone,
>
> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
> the ethernet interfaces is setup to use NAT. The problem is that my
> company is writing a small application that uses UDP. The app uses a
> single, specific source port address and calls a specific, static port
> number at one remote address. The problem is that the external
> interface of the router opens the exact same port number on the
> external interface for each connection rather than opening a random
> one. This causes the obvious problems with socket identification at
> the other end and scuttles communication.
>
> Does anyone have an idea of how I could get the router to function the
> way that I believe it is supposed to by default?
>
> Thanks,
>
> Greg


Martin Gallagher 08-11-2004 11:11 AM

Re: UDP source ports using PAT (NAT overload)
 
On Tue, 10 Aug 2004 09:31:25 -0700, Greg Grimes wrote:

> gabrielshorn@hotmail.com (Greg Grimes) wrote in message
> news:<1a21c427.0408091640.23f3b1bc@posting.google. com>...
>> Hi Everyone,
>>
>> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
>> the ethernet interfaces is setup to use NAT. The problem is that my
>> company is writing a small application that uses UDP. The app uses a
>> single, specific source port address and calls a specific, static port
>> number at one remote address. The problem is that the external
>> interface of the router opens the exact same port number on the
>> external interface for each connection rather than opening a random
>> one. This causes the obvious problems with socket identification at the
>> other end and scuttles communication.
>>
>> Does anyone have an idea of how I could get the router to function the
>> way that I believe it is supposed to by default?
>>

> One mistake below. The client app uses a random port number, but
> multiple clients will often end up using the same source port number.
> This is when we run into problems.
>
>

Shouldn't matter. If two or more clients use the same source port, the
PAT router will use the same port # for the first, if it can, and then
different ones for the rest.

So if three clients, A, B and C choose port 2137 as their source, then
after PAT the server might see them as D:2137, D:2138 and D:2139 and there
is no confusion, unless your app also uses the port # somewhere else in
the payload. The NAT router won't change that and the server might see
the three clients as the same.

Perhaps if you provide a sanitised config and a show ip nat trans that
illustrates the problem, it will become clearer.

--
Rgds,
Martin

Greg Grimes 08-16-2004 10:26 PM

Re: UDP source ports using PAT (NAT overload)
 
"Martin Gallagher" <mgallagh@notme.zeta.org.au> wrote in message news:<pan.2004.08.11.11.11.02.886324@notme.zeta.or g.au>...
> On Tue, 10 Aug 2004 09:31:25 -0700, Greg Grimes wrote:
>
> > gabrielshorn@hotmail.com (Greg Grimes) wrote in message
> > news:<1a21c427.0408091640.23f3b1bc@posting.google. com>...
> >> Hi Everyone,
> >>
> >> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
> >> the ethernet interfaces is setup to use NAT. The problem is that my
> >> company is writing a small application that uses UDP. The app uses a
> >> single, specific source port address and calls a specific, static port
> >> number at one remote address. The problem is that the external
> >> interface of the router opens the exact same port number on the
> >> external interface for each connection rather than opening a random
> >> one. This causes the obvious problems with socket identification at the
> >> other end and scuttles communication.
> >>
> >> Does anyone have an idea of how I could get the router to function the
> >> way that I believe it is supposed to by default?
> >>

> > One mistake below. The client app uses a random port number, but
> > multiple clients will often end up using the same source port number.
> > This is when we run into problems.
> >
> >

> Shouldn't matter. If two or more clients use the same source port, the
> PAT router will use the same port # for the first, if it can, and then
> different ones for the rest.
>
> So if three clients, A, B and C choose port 2137 as their source, then
> after PAT the server might see them as D:2137, D:2138 and D:2139 and there
> is no confusion, unless your app also uses the port # somewhere else in
> the payload. The NAT router won't change that and the server might see
> the three clients as the same.
>
> Perhaps if you provide a sanitised config and a show ip nat trans that
> illustrates the problem, it will become clearer.


Hi Martin,

Sorry for the delayed response. Here's my sanitized config.

version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname PTM
!
logging queue-limit 100
enable secret 5 <removed>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
!
no ip bootp server
!
!
!
!
!
!
!
interface Ethernet0
ip address 172.XX.XX.XX 255.255.255.240
full-duplex
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0
description connected to Internet
ip address 61.XX.XX.XX 255.255.255.252
ip access-group 101 in
ip nat outside
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
!
ip nat inside source list 1 interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip http server
no ip http secure-server
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 101 permit tcp any any established
access-list 101 permit udp any host 192.168.1.5 eq ntp
access-list 101 permit tcp any host 62.XX.XX.XX eq ftp
access-list 101 permit tcp any host 62.XX.XX.XX eq ftp-data
access-list 101 deny udp any any range 0 1030
access-list 101 deny tcp any any range 0 1030
access-list 101 deny tcp any any range 6000 6100
access-list 101 deny udp any any range 6000 6100
access-list 101 deny tcp any any range 5000 5003
access-list 101 deny tcp any any eq 1080
access-list 101 deny tcp any any eq 8080
access-list 101 deny icmp any any echo
access-list 101 deny tcp any any eq 1720
access-list 101 permit ip any any

!
!
line con 0
exec-timeout 0 0
password 7 <removed>
login
line aux 0
password 7 <removed>
login
line vty 0 4
access-class 1 in
password 7 <removed>
login
!
no scheduler allocate
end


Thanks,

Greg


All times are GMT. The time now is 01:53 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.