Cisco TCP port redirection

April 24th, 2011 | Tags: , ,

One of our customer asked us to change the destination TCP port on our last MPLS PE router, because they don’t want to change this on every remote POS terminal. This seems to be easy if the destination IP address is on the router, but the traffic is flowing through the router. I created a GNS3/IOU lab to demonstrate, and tested the solution.

 

Actually, the configuration is very basic:

On R2:

interface Ethernet0/0
 ip address 10.10.10.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
interface Ethernet0/1 
 ip address 10.10.11.1 255.255.255.252 
 ip nat inside 
 ip virtual-reassembly
ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 666 extendable

Now, if I telnet from R1 to 1.1.1.1:666, it works, and I can see the following debug messages in R2

*Apr 24 20:48:37.543: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.547: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.559: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.559: NAT*: TCP s=52634, d=666->23
*Apr 24 20:48:37.611: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.611: NAT*: TCP s=23->666, d=52634
*Apr 24 20:48:37.615: NAT*: TCP s=52634, d=666->23

During the testing, I tried to make this work using the LAN address of the router (10.10.11.2).  So I changed the NAT rule:

ip nat inside source static tcp 10.10.11.2 23 10.10.11.2 666 extendable

After this, I could see the following log messages. I also issued a sh ip arp command on R2.

*Apr 24 23:04:31.367: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:05:01.371: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:05:33.283: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310
*Apr 24 23:06:04.279: %IP-4-DUPADDR: Duplicate address 10.10.11.2 on Ethernet0/1, sourced by aabb.cc00.0310

R2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 144 aabb.cc00.0100 ARPA Ethernet0/0
Internet 10.10.10.2 – aabb.cc00.0200 ARPA Ethernet0/0
Internet 10.10.11.1 – aabb.cc00.0210 ARPA Ethernet0/1
Internet 10.10.11.2 – aabb.cc00.0210 ARPA Ethernet0/1

As you can see, the 10.10.11.2 address seems to be now an address of Ethernet0/1 on R2. I tried this on real 2811 router, in GNS3 with 7200 router and also with IOU. I really don’t know the cause of this. And here is the ARP debug:

*Apr 24 23:11:49.279: IP ARP: rcvd rep src 10.10.11.2 aabb.cc00.0310, dst 10.10.11.2 Ethernet0/1
*Apr 24 23:11:49.279: IP ARP: Gratuitous ARP throttled.
*Apr 24 23:11:49.279: IP ARP: 10.10.11.2 added to arp_defense_Q
*Apr 24 23:11:49.375: IP ARP: 10.10.11.2 removed from arp_defense_Q
*Apr 24 23:11:49.375: IP ARP: sent rep src 10.10.11.2 aabb.cc00.0210, dst 10.10.11.2 aabb.cc00.0210 Ethernet0/1

If you have an idea, why IOS act like this, please comment:)

(Visited 244 times, 1 visits today)
  1. February 26th, 2013 at 23:13
    Reply | Quote | #1

    I am having the same problem, have looked everywhere but can’t find an answer. I know this post has been a long time ago, but did you have any luck?

    • xcke
      March 5th, 2013 at 22:58
      Reply | Quote | #2

      Not really:)

    • xcke
      February 27th, 2014 at 22:56
      Reply | Quote | #3

      Well.. 🙂

      Autoaliasing of Pool Addresses:
      Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn’t connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses.
      This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the “no-alias” keyword:.
      ip nat inside source static no-alias