I've got a simple inside-to-outside NAT set up with one internal subnet (172.16.4.0/24) and one outside gateway (50.0.0.120/30), and a local/outside DMZ subnet (50.1.1.32/27). I've got two nat rules to ensure traffic from inside to either of the two outside interfaces gets source-translated to the IP address of the outside interface, and this setup works well, EXCEPT for any tcp or udp traffic to port 53. In the case of traffic to port 53, the packet gets sent out the outside interface without its source address being translated. Traffic to ports 52 and 54 gets translated as expected.
Here's the relevant config:
interface GigabitEthernet0/0.21 description Inside Network 172.16.4/24 encapsulation dot1Q 21 ip address 172.16.4.1 255.255.255.0 ip nat inside ip virtual-reassembly no snmp trap link-status ! interface GigabitEthernet0/0.64 description DMZ, 50.1.1.32/27 encapsulation dot1Q 64 ip address 50.1.1.33 255.255.255.224 ip nat outside ip nat enable ip virtual-reassembly ! interface GigabitEthernet0/0.666 description Egress to ISP, 50.0.0.120/30, peer .121 encapsulation dot1Q 666 ip address 50.0.0.122 255.255.255.252 ip nat outside ip nat enable ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 50.0.0.121 ip access-list standard nat_inside_addrs permit 172.16.0.0 0.15.255.255 permit 10.0.0.0 0.255.255.255 permit 192.168.0.0 0.0.255.255 ! route-map rm_dmz_out permit 10 match interface GigabitEthernet0/0.64 ! route-map rm_internet_out permit 10 match interface GigabitEthernet0/0.666 ! ip nat pool nat_internet_pool 50.0.0.122 50.0.0.122 netmask 255.255.255.224 ip nat pool nat_dmz_pool 50.1.1.33 50.1.1.33 netmask 255.255.255.224 ip nat inside source route-map rm_dmz_out pool nat_dmz_pool overload ip nat inside source route-map rm_internet_out pool nat_internet_pool overload Whether I use the "ip nat inside source route-map" form, or the "ip nat inside source list nat_inside_addrs" form, the behavior is the same. Reloading the router doesn't help.
Here's what a tcpdump looks like from the outside interface, as I generate packets to tcp ports 51, 52, 53, and 54 from an internal host. Notice that the source address is from 50.1.1.33 (NAT outside addr, as expected) EXCEPT when the destination port is 53. Traffic to port 53 retains its original internal address (in this case, 172.16.4.64)
# tcpdump -ptn -i ens224 'port (50 or 51 or 52 or 53 or 54 or 80)' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens224, link-type EN10MB (Ethernet), capture size 262144 bytes IP 50.1.1.33.64290 > 50.1.1.41.51: Flags [S], seq 1842689145, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.51 > 50.1.1.33.64290: Flags [R.], seq 0, ack 1842689146, win 0, length 0 IP 50.1.1.33.64290 > 50.1.1.41.51: Flags [S], seq 1842689145, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.51 > 50.1.1.33.64290: Flags [R.], seq 0, ack 1, win 0, length 0 IP 50.1.1.33.64291 > 50.1.1.41.52: Flags [S], seq 2718678084, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.52 > 50.1.1.33.64291: Flags [R.], seq 0, ack 2718678085, win 0, length 0 IP 50.1.1.33.64291 > 50.1.1.41.52: Flags [S], seq 2718678084, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.52 > 50.1.1.33.64291: Flags [R.], seq 0, ack 1, win 0, length 0 IP 172.16.4.64.64292 > 50.1.1.41.53: Flags [S], seq 2768403474, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 172.16.4.64.64292 > 50.1.1.41.53: Flags [S], seq 2768403474, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.33.64294 > 50.1.1.41.54: Flags [S], seq 456091666, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.54 > 50.1.1.33.64294: Flags [R.], seq 0, ack 456091667, win 0, length 0 IP 50.1.1.33.64294 > 50.1.1.41.54: Flags [S], seq 456091666, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 IP 50.1.1.41.54 > 50.1.1.33.64294: Flags [R.], seq 0, ack 1, win 0, length 0 There's literally nothing else in the config that has to do with access lists or mentions port 53 or 'dns'. No IP inspection. No split tunnels.
Have I hit a bug? Has anyone seen this before?
No comments:
Post a Comment