«

I have a GNS3 LAB with 3 routers.

I am trying to do a reversible NAT for several thousands of ports to
the server. (R1) for this purpose.
I try to telnet from R3 to R1 on any port (lets say 80 in this
instance),
I have an ACL (outside-in) set up on the interface of R2 to log the
traffic. and I see that a packet goes through on port "0"

Why do we have a packet showing up on port 0 when I telnet to port 80?
!
!
R2#ip nat inside source static 1.1.1.1 63.175.69.29 route-map inbound
reversible
route-map inbound permit 10
match ip address nat
!
route-map inbound deny 20
!
ip access-list extended nat
permit tcp any eq www any
permit tcp any range 60000 64999 any log
deny tcp any any log
!
!
R3# telnet 63.175.69.29 80
!(unless the ACL has permit any any, I get rejected, (Below))
R2#
*Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
R2#
R2#
*Mar 1 01:48:26.051: NAT(acl): name nat failed

When coming from inside, the nat works, and the first packet shows the
correct port.
R2#*Mar 1 00:57:02.879: %SEC-6-IPACCESSLOGP: list nat permitted tcp
1.1.1.1(61804) -> 3.3.3.3(80), 1 packet

When coming from outside, the nat doesn't work, I think because The
first packet shows the incorrect port (0).
R3#telnet 63.175.69.29 80 /source Loopback0
R2(config-ext-nacl)#*Mar 1 00:49:32.051: %SEC-6-IPACCESSLOGP: list
nat permitted tcp 1.1.1.1(0) -> 3.3.3.3(0), 1 packet

Thanks,
Crzzy1

Chris Roberts wrote:

> I have an ACL (outside-in) set up on the interface of R2 to log the
> traffic. and I see that a packet goes through on port "0"
>

You haven't shown us what ACL outside-in is, but if it doesn't look at port
numbers itself, you won't get the information in the log message.

IOS isn't going to waste time collecting stuff you've already told it you
aren't interested in.

--
Rgds,
Martin

Martin Gallagher <> wrote:
> Chris Roberts wrote:
>
>> I have an ACL (outside-in) set up on the interface of R2 to log the
>> traffic. and I see that a packet goes through on port "0"
>>
>
> You haven't shown us what ACL outside-in is, but if it doesn't look at port
> numbers itself, you won't get the information in the log message.
>
> IOS isn't going to waste time collecting stuff you've already told it you
> aren't interested in.

That is right. To resolve this, put something like this:

deny tcp any any eq 1 log

before the

deny tcp any any log

On Jul 21, 5:32*am, Rob <nom...@example.com> wrote:
> Martin Gallagher <mgall...@zeta.org.au> wrote:
> > Chris Roberts wrote:
>
> >> I have an ACL (outside-in) set up on the interface of R2 to log the
> >> traffic. and I see that a packet goes through on port "0"
>
> > *You haven't shown us what ACL outside-in is, but if it doesn't look at port
> > numbers itself, you won't get the information in the log message.
>
> > *IOS isn't going to waste time collecting stuff you've already told it you
> > aren't interested in.
>
> That is right. * To resolve this, put something like this:
>
> deny * tcp any any eq 1 log
>
> before the
>
> deny * tcp any any log

Here is the acl. (it is on the ouside interface) and logs any TCP
ports. That is why it logged that there is a packet coming in on port
0.

ip access-list extended outside-in
permit tcp any any log
permit ip any any log


*Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet

There are no packets coming in on port 1, so I am curious why you
think that will help.
My question is when telneting from the outside to port 80, I am seeing
a packet come in on port 0, then seeing a packet on port 80.

Thanks,

Chris Roberts <> wrote:
> On Jul 21, 5:32Â*am, Rob <nom...@example.com> wrote:
>> Martin Gallagher <mgall...@zeta.org.au> wrote:
>> > Chris Roberts wrote:
>>
>> >> I have an ACL (outside-in) set up on the interface of R2 to log the
>> >> traffic. and I see that a packet goes through on port "0"
>>
>> > Â*You haven't shown us what ACL outside-in is, but if it doesn't look at port
>> > numbers itself, you won't get the information in the log message.
>>
>> > Â*IOS isn't going to waste time collecting stuff you've already told it you
>> > aren't interested in.
>>
>> That is right. Â* To resolve this, put something like this:
>>
>> deny Â* tcp any any eq 1 log
>>
>> before the
>>
>> deny Â* tcp any any log
>
> Here is the acl. (it is on the ouside interface) and logs any TCP
> ports. That is why it logged that there is a packet coming in on port
> 0.
>
> ip access-list extended outside-in
> permit tcp any any log
> permit ip any any log
>
>
> *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
> tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
>
> There are no packets coming in on port 1, so I am curious why you
> think that will help.

Just try it and you will see.

> My question is when telneting from the outside to port 80, I am seeing
> a packet come in on port 0, then seeing a packet on port 80.

Because, just like the other poster said, as long as you don't refer
to a port number anywhere in your ACL, the router will not extract
the port number from the packet and it will log the zero value.

On Jul 22, 11:25*am, Rob <nom...@example.com> wrote:
> Chris Roberts <thecjg...@gmail.com> wrote:
> > On Jul 21, 5:32*am, Rob <nom...@example.com> wrote:
> >> Martin Gallagher <mgall...@zeta.org.au> wrote:
> >> > Chris Roberts wrote:
>
> >> >> I have an ACL (outside-in) set up on the interface of R2 to log the
> >> >> traffic. and I see that a packet goes through on port "0"
>
> >> > *You haven't shown us what ACL outside-in is, but if it doesn't look at port
> >> > numbers itself, you won't get the information in the log message.
>
> >> > *IOS isn't going to waste time collecting stuff you've already told it you
> >> > aren't interested in.
>
> >> That is right. * To resolve this, put something like this:
>
> >> deny * tcp any any eq 1 log
>
> >> before the
>
> >> deny * tcp any any log
>
> > Here is the acl. (it is on the ouside interface) and logs any TCP
> > ports. That is why it logged that there is a packet coming in on port
> > 0.
>
> > ip access-list extended outside-in
> > *permit tcp any any log
> > *permit ip any any log
>
> > *Mar *1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
> > tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
>
> > There are no packets coming in on port 1, so I am curious why you
> > think that will help.
>
> Just try it and you will see.
>
> > My question is when telneting from the outside to port 80, I am seeing
> > a packet come in on port 0, then seeing a packet on port 80.
>
> Because, just like the other poster said, as long as you don't refer
> to a port number anywhere in your ACL, the router will not extract
> the port number from the packet and it will log the zero value.


I tried it, still the acl at the interface registers a tcp port 0.
(not 1)
Then when it hits the NAT ACL, it gets rejected.

(I am suspecting that the port 0 issue is not the problem,
but I don't understand why the "nat" ACL is getting hit twice for each
time I try.

Once on the permit
Once on the end deny statement .


R2#sh access-l nat
Extended IP access list nat
10 permit tcp any eq www any (1 match)
20 permit tcp any range 60000 64999 any log (3 matches)
30 deny tcp any any eq 1 log
40 deny tcp any any log (6 matches)


R2#
*Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted
tcp 23.23.23.24(6510 -> 63.175.69.29(80), 1 packet
R2#
*Mar 1 00:21:42.099: NAT(acl): name nat failed
*Mar 1 00:21:42.099: NAT: Matches reverse map inbound (deny)
*Mar 1 00:21:42.107: NAT: map match inbound
*Mar 1 00:22:07.507: %SEC-6-IPACCESSLOGP: list nat denied tcp
10.1.1.95(0) -> 23.23.23.24(0), 1 packet

Chris Roberts wrote:

>
> R2#sh access-l nat
> Extended IP access list nat
> 10 permit tcp any eq www any (1 match)
> 20 permit tcp any range 60000 64999 any log (3 matches)
> 30 deny tcp any any eq 1 log
> 40 deny tcp any any log (6 matches)
>

You should NOT be using log on an ACL used for NAT.

NAT works in the CEF/fast path and ACL logging punts packets to process. It
tends to break NAT.

Take the logging off and use the NAT debugs to see what NAT is doing.

>
> R2#
> *Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted
> tcp 23.23.23.24(6510 -> 63.175.69.29(80), 1 packet
> R2#

Here you are seeing the port numbers at the interface ACL.

--
Rgds,
Martin