packet showing up on port 0 when I telnet to port 80?

Discussion in 'Cisco' started by Chris Roberts, Jul 20, 2011.

  1. I have a GNS3 LAB with 3 routers.

    I am trying to do a reversible NAT for several thousands of ports to
    the server. (R1) for this purpose.
    I try to telnet from R3 to R1 on any port (lets say 80 in this
    instance),
    I have an ACL (outside-in) set up on the interface of R2 to log the
    traffic. and I see that a packet goes through on port "0"

    Why do we have a packet showing up on port 0 when I telnet to port 80?
    !
    !
    R2#ip nat inside source static 1.1.1.1 63.175.69.29 route-map inbound
    reversible
    route-map inbound permit 10
    match ip address nat
    !
    route-map inbound deny 20
    !
    ip access-list extended nat
    permit tcp any eq www any
    permit tcp any range 60000 64999 any log
    deny tcp any any log
    !
    !
    R3# telnet 63.175.69.29 80
    !(unless the ACL has permit any any, I get rejected, (Below))
    R2#
    *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
    R2#
    R2#
    *Mar 1 01:48:26.051: NAT(acl): name nat failed

    When coming from inside, the nat works, and the first packet shows the
    correct port.
    R2#*Mar 1 00:57:02.879: %SEC-6-IPACCESSLOGP: list nat permitted tcp
    1.1.1.1(61804) -> 3.3.3.3(80), 1 packet

    When coming from outside, the nat doesn't work, I think because The
    first packet shows the incorrect port (0).
    R3#telnet 63.175.69.29 80 /source Loopback0
    R2(config-ext-nacl)#*Mar 1 00:49:32.051: %SEC-6-IPACCESSLOGP: list
    nat permitted tcp 1.1.1.1(0) -> 3.3.3.3(0), 1 packet

    Thanks,
    Crzzy1
     
    Chris Roberts, Jul 20, 2011
    #1
    1. Advertising

  2. Chris Roberts wrote:

    > I have an ACL (outside-in) set up on the interface of R2 to log the
    > traffic. and I see that a packet goes through on port "0"
    >


    You haven't shown us what ACL outside-in is, but if it doesn't look at port
    numbers itself, you won't get the information in the log message.

    IOS isn't going to waste time collecting stuff you've already told it you
    aren't interested in.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jul 21, 2011
    #2
    1. Advertising

  3. Chris Roberts

    Rob Guest

    Martin Gallagher <> wrote:
    > Chris Roberts wrote:
    >
    >> I have an ACL (outside-in) set up on the interface of R2 to log the
    >> traffic. and I see that a packet goes through on port "0"
    >>

    >
    > You haven't shown us what ACL outside-in is, but if it doesn't look at port
    > numbers itself, you won't get the information in the log message.
    >
    > IOS isn't going to waste time collecting stuff you've already told it you
    > aren't interested in.


    That is right. To resolve this, put something like this:

    deny tcp any any eq 1 log

    before the

    deny tcp any any log
     
    Rob, Jul 21, 2011
    #3
  4. On Jul 21, 5:32 am, Rob <> wrote:
    > Martin Gallagher <> wrote:
    > > Chris Roberts wrote:

    >
    > >> I have an ACL (outside-in) set up on the interface of R2 to log the
    > >> traffic. and I see that a packet goes through on port "0"

    >
    > >  You haven't shown us what ACL outside-in is, but if it doesn't look at port
    > > numbers itself, you won't get the information in the log message.

    >
    > >  IOS isn't going to waste time collecting stuff you've already told it you
    > > aren't interested in.

    >
    > That is right.   To resolve this, put something like this:
    >
    > deny   tcp any any eq 1 log
    >
    > before the
    >
    > deny   tcp any any log


    Here is the acl. (it is on the ouside interface) and logs any TCP
    ports. That is why it logged that there is a packet coming in on port
    0.

    ip access-list extended outside-in
    permit tcp any any log
    permit ip any any log


    *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet

    There are no packets coming in on port 1, so I am curious why you
    think that will help.
    My question is when telneting from the outside to port 80, I am seeing
    a packet come in on port 0, then seeing a packet on port 80.

    Thanks,
     
    Chris Roberts, Jul 22, 2011
    #4
  5. Chris Roberts

    Rob Guest

    Chris Roberts <> wrote:
    > On Jul 21, 5:32 am, Rob <> wrote:
    >> Martin Gallagher <> wrote:
    >> > Chris Roberts wrote:

    >>
    >> >> I have an ACL (outside-in) set up on the interface of R2 to log the
    >> >> traffic. and I see that a packet goes through on port "0"

    >>
    >> >  You haven't shown us what ACL outside-in is, but if it doesn't look at port
    >> > numbers itself, you won't get the information in the log message.

    >>
    >> >  IOS isn't going to waste time collecting stuff you've already told it you
    >> > aren't interested in.

    >>
    >> That is right.   To resolve this, put something like this:
    >>
    >> deny   tcp any any eq 1 log
    >>
    >> before the
    >>
    >> deny   tcp any any log

    >
    > Here is the acl. (it is on the ouside interface) and logs any TCP
    > ports. That is why it logged that there is a packet coming in on port
    > 0.
    >
    > ip access-list extended outside-in
    > permit tcp any any log
    > permit ip any any log
    >
    >
    > *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    > tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
    >
    > There are no packets coming in on port 1, so I am curious why you
    > think that will help.


    Just try it and you will see.

    > My question is when telneting from the outside to port 80, I am seeing
    > a packet come in on port 0, then seeing a packet on port 80.


    Because, just like the other poster said, as long as you don't refer
    to a port number anywhere in your ACL, the router will not extract
    the port number from the packet and it will log the zero value.
     
    Rob, Jul 22, 2011
    #5
  6. On Jul 22, 11:25 am, Rob <> wrote:
    > Chris Roberts <> wrote:
    > > On Jul 21, 5:32 am, Rob <> wrote:
    > >> Martin Gallagher <> wrote:
    > >> > Chris Roberts wrote:

    >
    > >> >> I have an ACL (outside-in) set up on the interface of R2 to log the
    > >> >> traffic. and I see that a packet goes through on port "0"

    >
    > >> >  You haven't shown us what ACL outside-in is, but if it doesn't look at port
    > >> > numbers itself, you won't get the information in the log message.

    >
    > >> >  IOS isn't going to waste time collecting stuff you've already told it you
    > >> > aren't interested in.

    >
    > >> That is right.   To resolve this, put something like this:

    >
    > >> deny   tcp any any eq 1 log

    >
    > >> before the

    >
    > >> deny   tcp any any log

    >
    > > Here is the acl. (it is on the ouside interface) and logs any TCP
    > > ports. That is why it logged that there is a packet coming in on port
    > > 0.

    >
    > > ip access-list extended outside-in
    > >  permit tcp any any log
    > >  permit ip any any log

    >
    > > *Mar  1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    > > tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet

    >
    > > There are no packets coming in on port 1, so I am curious why you
    > > think that will help.

    >
    > Just try it and you will see.
    >
    > > My question is when telneting from the outside to port 80, I am seeing
    > > a packet come in on port 0, then seeing a packet on port 80.

    >
    > Because, just like the other poster said, as long as you don't refer
    > to a port number anywhere in your ACL, the router will not extract
    > the port number from the packet and it will log the zero value.



    I tried it, still the acl at the interface registers a tcp port 0.
    (not 1)
    Then when it hits the NAT ACL, it gets rejected.

    (I am suspecting that the port 0 issue is not the problem,
    but I don't understand why the "nat" ACL is getting hit twice for each
    time I try.

    Once on the permit
    Once on the end deny statement .


    R2#sh access-l nat
    Extended IP access list nat
    10 permit tcp any eq www any (1 match)
    20 permit tcp any range 60000 64999 any log (3 matches)
    30 deny tcp any any eq 1 log
    40 deny tcp any any log (6 matches)


    R2#
    *Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 23.23.23.24(65108) -> 63.175.69.29(80), 1 packet
    R2#
    *Mar 1 00:21:42.099: NAT(acl): name nat failed
    *Mar 1 00:21:42.099: NAT: Matches reverse map inbound (deny)
    *Mar 1 00:21:42.107: NAT: map match inbound
    *Mar 1 00:22:07.507: %SEC-6-IPACCESSLOGP: list nat denied tcp
    10.1.1.95(0) -> 23.23.23.24(0), 1 packet
     
    Chris Roberts, Jul 22, 2011
    #6
  7. Chris Roberts wrote:

    >
    > R2#sh access-l nat
    > Extended IP access list nat
    > 10 permit tcp any eq www any (1 match)
    > 20 permit tcp any range 60000 64999 any log (3 matches)
    > 30 deny tcp any any eq 1 log
    > 40 deny tcp any any log (6 matches)
    >


    You should NOT be using log on an ACL used for NAT.

    NAT works in the CEF/fast path and ACL logging punts packets to process. It
    tends to break NAT.

    Take the logging off and use the NAT debugs to see what NAT is doing.

    >
    > R2#
    > *Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted
    > tcp 23.23.23.24(65108) -> 63.175.69.29(80), 1 packet
    > R2#


    Here you are seeing the port numbers at the interface ACL.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jul 23, 2011
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jack B. Pollack
    Replies:
    4
    Views:
    1,256
    Zaltor
    Jul 24, 2003
  2. lfnetworking
    Replies:
    3
    Views:
    4,937
    lfnetworking
    Aug 27, 2006
  3. fred.fm
    Replies:
    0
    Views:
    392
    fred.fm
    Nov 27, 2006
  4. urvin
    Replies:
    0
    Views:
    850
    urvin
    Apr 15, 2008
  5. mediumkuriboh
    Replies:
    0
    Views:
    1,517
    mediumkuriboh
    Feb 9, 2009
Loading...

Share This Page