packet showing up on port 0 when I telnet to port 80?

Discussion in 'Cisco' started by Chris Roberts, Jul 20, 2011.

  1. I have a GNS3 LAB with 3 routers.

    I am trying to do a reversible NAT for several thousands of ports to
    the server. (R1) for this purpose.
    I try to telnet from R3 to R1 on any port (lets say 80 in this
    instance),
    I have an ACL (outside-in) set up on the interface of R2 to log the
    traffic. and I see that a packet goes through on port "0"

    Why do we have a packet showing up on port 0 when I telnet to port 80?
    !
    !
    R2#ip nat inside source static 1.1.1.1 63.175.69.29 route-map inbound
    reversible
    route-map inbound permit 10
    match ip address nat
    !
    route-map inbound deny 20
    !
    ip access-list extended nat
    permit tcp any eq www any
    permit tcp any range 60000 64999 any log
    deny tcp any any log
    !
    !
    R3# telnet 63.175.69.29 80
    !(unless the ACL has permit any any, I get rejected, (Below))
    R2#
    *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet
    R2#
    R2#
    *Mar 1 01:48:26.051: NAT(acl): name nat failed

    When coming from inside, the nat works, and the first packet shows the
    correct port.
    R2#*Mar 1 00:57:02.879: %SEC-6-IPACCESSLOGP: list nat permitted tcp
    1.1.1.1(61804) -> 3.3.3.3(80), 1 packet

    When coming from outside, the nat doesn't work, I think because The
    first packet shows the incorrect port (0).
    R3#telnet 63.175.69.29 80 /source Loopback0
    R2(config-ext-nacl)#*Mar 1 00:49:32.051: %SEC-6-IPACCESSLOGP: list
    nat permitted tcp 1.1.1.1(0) -> 3.3.3.3(0), 1 packet

    Thanks,
    Crzzy1
     
    Chris Roberts, Jul 20, 2011
    #1
    1. Advertisements

  2. You haven't shown us what ACL outside-in is, but if it doesn't look at port
    numbers itself, you won't get the information in the log message.

    IOS isn't going to waste time collecting stuff you've already told it you
    aren't interested in.
     
    Martin Gallagher, Jul 21, 2011
    #2
    1. Advertisements

  3. Chris Roberts

    Rob Guest

    That is right. To resolve this, put something like this:

    deny tcp any any eq 1 log

    before the

    deny tcp any any log
     
    Rob, Jul 21, 2011
    #3
  4. Here is the acl. (it is on the ouside interface) and logs any TCP
    ports. That is why it logged that there is a packet coming in on port
    0.

    ip access-list extended outside-in
    permit tcp any any log
    permit ip any any log


    *Mar 1 00:44:35.771: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 34.34.34.4(0) -> 63.175.69.29(0), 1 packet

    There are no packets coming in on port 1, so I am curious why you
    think that will help.
    My question is when telneting from the outside to port 80, I am seeing
    a packet come in on port 0, then seeing a packet on port 80.

    Thanks,
     
    Chris Roberts, Jul 22, 2011
    #4
  5. Chris Roberts

    Rob Guest

    Just try it and you will see.
    Because, just like the other poster said, as long as you don't refer
    to a port number anywhere in your ACL, the router will not extract
    the port number from the packet and it will log the zero value.
     
    Rob, Jul 22, 2011
    #5

  6. I tried it, still the acl at the interface registers a tcp port 0.
    (not 1)
    Then when it hits the NAT ACL, it gets rejected.

    (I am suspecting that the port 0 issue is not the problem,
    but I don't understand why the "nat" ACL is getting hit twice for each
    time I try.

    Once on the permit
    Once on the end deny statement .


    R2#sh access-l nat
    Extended IP access list nat
    10 permit tcp any eq www any (1 match)
    20 permit tcp any range 60000 64999 any log (3 matches)
    30 deny tcp any any eq 1 log
    40 deny tcp any any log (6 matches)


    R2#
    *Mar 1 00:21:42.095: %SEC-6-IPACCESSLOGP: list outside-in permitted
    tcp 23.23.23.24(65108) -> 63.175.69.29(80), 1 packet
    R2#
    *Mar 1 00:21:42.099: NAT(acl): name nat failed
    *Mar 1 00:21:42.099: NAT: Matches reverse map inbound (deny)
    *Mar 1 00:21:42.107: NAT: map match inbound
    *Mar 1 00:22:07.507: %SEC-6-IPACCESSLOGP: list nat denied tcp
    10.1.1.95(0) -> 23.23.23.24(0), 1 packet
     
    Chris Roberts, Jul 22, 2011
    #6
  7. You should NOT be using log on an ACL used for NAT.

    NAT works in the CEF/fast path and ACL logging punts packets to process. It
    tends to break NAT.

    Take the logging off and use the NAT debugs to see what NAT is doing.
    Here you are seeing the port numbers at the interface ACL.
     
    Martin Gallagher, Jul 23, 2011
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.