UDP source ports using PAT (NAT overload)

Discussion in 'Cisco' started by Greg Grimes, Aug 10, 2004.

  1. Greg Grimes

    Greg Grimes Guest

    Hi Everyone,

    I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
    the ethernet interfaces is setup to use NAT. The problem is that my
    company is writing a small application that uses UDP. The app uses a
    single, specific source port address and calls a specific, static port
    number at one remote address. The problem is that the external
    interface of the router opens the exact same port number on the
    external interface for each connection rather than opening a random
    one. This causes the obvious problems with socket identification at
    the other end and scuttles communication.

    Does anyone have an idea of how I could get the router to function the
    way that I believe it is supposed to by default?

    Thanks,

    Greg
     
    Greg Grimes, Aug 10, 2004
    #1
    1. Advertising

  2. Greg Grimes

    Greg Grimes Guest

    One mistake below. The client app uses a random port number, but
    multiple clients will often end up using the same source port number.
    This is when we run into problems.

    (Greg Grimes) wrote in message news:<>...
    > Hi Everyone,
    >
    > I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
    > the ethernet interfaces is setup to use NAT. The problem is that my
    > company is writing a small application that uses UDP. The app uses a
    > single, specific source port address and calls a specific, static port
    > number at one remote address. The problem is that the external
    > interface of the router opens the exact same port number on the
    > external interface for each connection rather than opening a random
    > one. This causes the obvious problems with socket identification at
    > the other end and scuttles communication.
    >
    > Does anyone have an idea of how I could get the router to function the
    > way that I believe it is supposed to by default?
    >
    > Thanks,
    >
    > Greg
     
    Greg Grimes, Aug 10, 2004
    #2
    1. Advertising

  3. On Tue, 10 Aug 2004 09:31:25 -0700, Greg Grimes wrote:

    > (Greg Grimes) wrote in message
    > news:<>...
    >> Hi Everyone,
    >>
    >> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
    >> the ethernet interfaces is setup to use NAT. The problem is that my
    >> company is writing a small application that uses UDP. The app uses a
    >> single, specific source port address and calls a specific, static port
    >> number at one remote address. The problem is that the external
    >> interface of the router opens the exact same port number on the
    >> external interface for each connection rather than opening a random
    >> one. This causes the obvious problems with socket identification at the
    >> other end and scuttles communication.
    >>
    >> Does anyone have an idea of how I could get the router to function the
    >> way that I believe it is supposed to by default?
    >>

    > One mistake below. The client app uses a random port number, but
    > multiple clients will often end up using the same source port number.
    > This is when we run into problems.
    >
    >

    Shouldn't matter. If two or more clients use the same source port, the
    PAT router will use the same port # for the first, if it can, and then
    different ones for the rest.

    So if three clients, A, B and C choose port 2137 as their source, then
    after PAT the server might see them as D:2137, D:2138 and D:2139 and there
    is no confusion, unless your app also uses the port # somewhere else in
    the payload. The NAT router won't change that and the server might see
    the three clients as the same.

    Perhaps if you provide a sanitised config and a show ip nat trans that
    illustrates the problem, it will become clearer.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Aug 11, 2004
    #3
  4. Greg Grimes

    Greg Grimes Guest

    "Martin Gallagher" <> wrote in message news:<>...
    > On Tue, 10 Aug 2004 09:31:25 -0700, Greg Grimes wrote:
    >
    > > (Greg Grimes) wrote in message
    > > news:<>...
    > >> Hi Everyone,
    > >>
    > >> I have a Cisco 1720 router with 2 Ethernet and a T1 interface. One of
    > >> the ethernet interfaces is setup to use NAT. The problem is that my
    > >> company is writing a small application that uses UDP. The app uses a
    > >> single, specific source port address and calls a specific, static port
    > >> number at one remote address. The problem is that the external
    > >> interface of the router opens the exact same port number on the
    > >> external interface for each connection rather than opening a random
    > >> one. This causes the obvious problems with socket identification at the
    > >> other end and scuttles communication.
    > >>
    > >> Does anyone have an idea of how I could get the router to function the
    > >> way that I believe it is supposed to by default?
    > >>

    > > One mistake below. The client app uses a random port number, but
    > > multiple clients will often end up using the same source port number.
    > > This is when we run into problems.
    > >
    > >

    > Shouldn't matter. If two or more clients use the same source port, the
    > PAT router will use the same port # for the first, if it can, and then
    > different ones for the rest.
    >
    > So if three clients, A, B and C choose port 2137 as their source, then
    > after PAT the server might see them as D:2137, D:2138 and D:2139 and there
    > is no confusion, unless your app also uses the port # somewhere else in
    > the payload. The NAT router won't change that and the server might see
    > the three clients as the same.
    >
    > Perhaps if you provide a sanitised config and a show ip nat trans that
    > illustrates the problem, it will become clearer.


    Hi Martin,

    Sorry for the delayed response. Here's my sanitized config.

    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname PTM
    !
    logging queue-limit 100
    enable secret 5 <removed>
    !
    memory-size iomem 25
    ip subnet-zero
    !
    !
    no ip domain lookup
    !
    no ip bootp server
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    ip address 172.XX.XX.XX 255.255.255.240
    full-duplex
    !
    interface FastEthernet0
    description connected to EthernetLAN
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    speed auto
    full-duplex
    !
    interface Serial0
    description connected to Internet
    ip address 61.XX.XX.XX 255.255.255.252
    ip access-group 101 in
    ip nat outside
    service-module t1 timeslots 1-24
    service-module t1 remote-alarm-enable
    !
    ip nat inside source list 1 interface Serial0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0
    ip http server
    no ip http secure-server
    !
    !
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 deny any
    access-list 101 permit tcp any any established
    access-list 101 permit udp any host 192.168.1.5 eq ntp
    access-list 101 permit tcp any host 62.XX.XX.XX eq ftp
    access-list 101 permit tcp any host 62.XX.XX.XX eq ftp-data
    access-list 101 deny udp any any range 0 1030
    access-list 101 deny tcp any any range 0 1030
    access-list 101 deny tcp any any range 6000 6100
    access-list 101 deny udp any any range 6000 6100
    access-list 101 deny tcp any any range 5000 5003
    access-list 101 deny tcp any any eq 1080
    access-list 101 deny tcp any any eq 8080
    access-list 101 deny icmp any any echo
    access-list 101 deny tcp any any eq 1720
    access-list 101 permit ip any any

    !
    !
    line con 0
    exec-timeout 0 0
    password 7 <removed>
    login
    line aux 0
    password 7 <removed>
    login
    line vty 0 4
    access-class 1 in
    password 7 <removed>
    login
    !
    no scheduler allocate
    end


    Thanks,

    Greg
     
    Greg Grimes, Aug 16, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Grimes
    Replies:
    8
    Views:
    1,085
    Rod Dorman
    Oct 8, 2004
  2. Ronald de Leeuw
    Replies:
    2
    Views:
    14,390
  3. Replies:
    1
    Views:
    789
  4. skweetis
    Replies:
    0
    Views:
    1,226
    skweetis
    Dec 11, 2006
  5. jayteezer
    Replies:
    1
    Views:
    1,438
    bod43
    May 23, 2010
Loading...

Share This Page