24 Apr

Cisco TCP port redirection

One of our customer asked us to change the destination TCP port on our last MPLS PE router, because they don’t want to change this on every remote POS terminal. This seems to be easy if the destination IP address is on the router, but the traffic is flowing through the router. I created a GNS3/IOU lab to demonstrate, and tested the solution.

 

Actually, the configuration is very basic:

On R2:

interface Ethernet0/0
 ip address 10.10.10.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
interface Ethernet0/1 
 ip address 10.10.11.1 255.255.255.252 
 ip nat inside 
 ip virtual-reassembly
ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 666 extendable

Now, if I telnet from R1 to 1.1.1.1:666, it works, and I can see the following debug messages in R2

*Apr 24 20:48:37.543: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.547: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.559: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.559: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.611: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.611: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.615: NAT*: TCP s=52634, d=666->23

During the testing, I tried to make this work using the LAN address of the router (10.10.11.2).  So I changed the NAT rule:

ip nat inside source static tcp 10.10.11.2 23 10.10.11.2 666 extendable

After this, I could see the following log messages. I also issued a sh ip arp command on R2.

*Apr 24 23:04:31.367: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:05:01.371: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:05:33.283: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:06:04.279: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310

R2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 144 aabb.cc00.0100 ARPA Ethernet0/0
Internet 10.10.10.2 – aabb.cc00.0200 ARPA Ethernet0/0
Internet 10.10.11.1 – aabb.cc00.0210 ARPA Ethernet0/1
Internet 10.10.11.2 – aabb.cc00.0210 ARPA Ethernet0/1

As you can see, the 10.10.11.2 address seems to be now an address of Ethernet0/1 on R2. I tried this on real 2811 router, in GNS3 with 7200 router and also with IOU. I really don’t know the cause of this. And here is the ARP debug:

*Apr 24 23:11:49.279: IP ARP: rcvd rep src 10.10.11.2 aabb.cc00.0310, dst 10.10.11.2 Ethernet0/1
*Apr 24 23:11:49.279: IP ARP: Gratuitous ARP throttled.
*Apr 24 23:11:49.279: IP ARP: 10.10.11.2 added to arp_defense_Q
*Apr 24 23:11:49.375: IP ARP: 10.10.11.2 removed from arp_defense_Q
*Apr 24 23:11:49.375: IP ARP: sent rep src 10.10.11.2 aabb.cc00.0210, dst 10.10.11.2 aabb.cc00.0210 Ethernet0/1

If you have an idea, why IOS act like this, please comment:)