NAT translation table
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: NAT translation table

  1. #1
    Member
    Join Date
    May 2002
    Posts
    38

    NAT translation table

    I've gone to Cisco's web site trying to get information on this but have not received much significant help. Maybe someone here can help me out.

    When looking at the NAT translation table on my Cisco 1700 I see a number of translations between outside addresses and my http port 80. However, I show no activity on web server logs that indicates someone is hitting my web server. Is this some sort of scan for vulnerabilities that is not detected by the web logs? Could it possibly be more serious? Thanks for any help anyone can offer.

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    What exactly does your webserver log? Maybe these are simple portscans, not picked up by the weblog, because no pages were transmitted?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  3. #3
    Member
    Join Date
    May 2002
    Posts
    38
    The web server logs any http commands (GET, POST, etc.). I can see scans all day long made for common vulnerabilities of MS IIS but they are not coming from the same IP as the outside translation IP on NAT.

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    does the ip scan other ports as well? does it resolve to some known hostname? ... I'm fishing in the dark here... (hey, some network guru, help us out here)
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Member
    Join Date
    May 2002
    Posts
    38
    No, it only seems to scan port 80. There are a couple of other open ports that could be scanned.

  6. #6
    Member
    Join Date
    May 2002
    Posts
    38
    I don't know it this helps any but I do occasionally get an entry in my web log such as:
    x.x.x.x - (CurrentDate) - "GET http://www.hostname.com/ HTTP/1.1" 200 3059. I'm not open to being a proxy that I know of but it seems someone is trying to access another site through my http port. Maybe its related?

  7. #7
    Member
    Join Date
    Jun 2002
    Posts
    44
    PacSec

    What version IOS is built on your router/firewall? Also how did you configure your static nat statements? And last, could you post a small portion of the show ip nat trans?
    Os1LaYr5

  8. #8
    Member
    Join Date
    May 2002
    Posts
    38
    I have IOS version 12.2-7a. My static nat is as follows:
    ip nat inside source static tcp x.x.x.x (inside address) 80 y.y.y.y (outside address) 80 extedable
    (That is for the http server. I have ports 25 and 110 set up the same way.)
    As far as the show ip nat trans, it looks basically like this

    Pro Inside global Inside local Outside local Outside global
    tcp y.y.y.y:80 x.x.x.x:80 a.a.a.a:14721 a.a.a.a:14721
    tcp y.y.y.y:80 x.x.x.x:80 b.b.b.b:13193 b.b.b.b:13193
    tcp y.y.y.y:80 x.x.x.x:80 b.b.b.b:47260 b.b.b.b:47260

    This is just a quick sample. Where the letters representing the ip address are the same, the ips are the same. As you can see one ip will sometimes have open a couple of its ports to my port 80. Other times, there is only one open port to my port 80.
    [glowpurple]I\'d tell you about my paranoia but I think someone else is listening.[/glowpurple]

  9. #9
    Banned
    Join Date
    Apr 2002
    Posts
    149
    ok this might be totally off, but you could just be seeing nimda scans.

  10. #10
    Member
    Join Date
    May 2002
    Posts
    38
    I'm pretty sure the nimda scans are showing up on the web server access log.
    [glowpurple]I\'d tell you about my paranoia but I think someone else is listening.[/glowpurple]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •