NAT translation table

Printable View

Show 40 post(s) from this thread on one page

June 11th, 2002, 05:05 PM
PacSec

NAT translation table

I've gone to Cisco's web site trying to get information on this but have not received much significant help. Maybe someone here can help me out.

When looking at the NAT translation table on my Cisco 1700 I see a number of translations between outside addresses and my http port 80. However, I show no activity on web server logs that indicates someone is hitting my web server. Is this some sort of scan for vulnerabilities that is not detected by the web logs? Could it possibly be more serious? Thanks for any help anyone can offer.
June 11th, 2002, 05:20 PM
Guus

What exactly does your webserver log? Maybe these are simple portscans, not picked up by the weblog, because no pages were transmitted?
June 11th, 2002, 05:28 PM
PacSec

The web server logs any http commands (GET, POST, etc.). I can see scans all day long made for common vulnerabilities of MS IIS but they are not coming from the same IP as the outside translation IP on NAT.
June 11th, 2002, 05:45 PM
Guus

does the ip scan other ports as well? does it resolve to some known hostname? ... I'm fishing in the dark here... (hey, some network guru, help us out here)
June 11th, 2002, 06:42 PM
PacSec

No, it only seems to scan port 80. There are a couple of other open ports that could be scanned.
June 11th, 2002, 06:49 PM
PacSec

I don't know it this helps any but I do occasionally get an entry in my web log such as:
x.x.x.x - (CurrentDate) - "GET http://www.hostname.com/ HTTP/1.1" 200 3059. I'm not open to being a proxy that I know of but it seems someone is trying to access another site through my http port. Maybe its related?
June 17th, 2002, 11:02 PM
os1

PacSec

What version IOS is built on your router/firewall? Also how did you configure your static nat statements? And last, could you post a small portion of the show ip nat trans?
June 18th, 2002, 08:36 PM
PacSec

I have IOS version 12.2-7a. My static nat is as follows:
ip nat inside source static tcp x.x.x.x (inside address) 80 y.y.y.y (outside address) 80 extedable
(That is for the http server. I have ports 25 and 110 set up the same way.)
As far as the show ip nat trans, it looks basically like this

Pro Inside global Inside local Outside local Outside global
tcp y.y.y.y:80 x.x.x.x:80 a.a.a.a:14721 a.a.a.a:14721
tcp y.y.y.y:80 x.x.x.x:80 b.b.b.b:13193 b.b.b.b:13193
tcp y.y.y.y:80 x.x.x.x:80 b.b.b.b:47260 b.b.b.b:47260

This is just a quick sample. Where the letters representing the ip address are the same, the ips are the same. As you can see one ip will sometimes have open a couple of its ports to my port 80. Other times, there is only one open port to my port 80.
June 19th, 2002, 02:43 AM
AngryBob

ok this might be totally off, but you could just be seeing nimda scans.
June 19th, 2002, 03:05 PM
PacSec

I'm pretty sure the nimda scans are showing up on the web server access log.

Show 40 post(s) from this thread on one page