Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CheckMate-R77
Contributor

NAT with TCP and UDP issue

Hello.

We have 2 hosts on 2 internal networks:

- hostA 10.10.10.21 (static NAT 195.158.246.21)

- hostB 192.168.80.201 (static NAT 195.158.247.226)

We connect from hostA to hostB over TCP port 7946 and we see NATed (public) source IP:

[Expert@gw1:0]# tcpdump -n -i eth4 tcp port 7946 and dst host 192.168.80.201
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
13:29:39.435658 IP 195.158.246.21.58946 > 192.168.80.201.7946: S 4142216763:4142216763(0) win 64240 <mss 1460,sackOK,timestamp 2513898872 0,nop,wscale 7>
13:29:39.435705 IP 195.158.246.21.58946 > 192.168.80.201.7946: . ack 810453210 win 502 <nop,nop,timestamp 2513898873 2862488492>
13:29:39.435840 IP 195.158.246.21.58946 > 192.168.80.201.7946: P 0:429(429) ack 1 win 502 <nop,nop,timestamp 2513898873 2862488492>
13:29:39.435889 IP 195.158.246.21.58946 > 192.168.80.201.7946: F 429:429(0) ack 1 win 502 <nop,nop,timestamp 2513898873 2862488492>

But the same connection over the UDP port 7946 uses only private source IP (no NAT):

[Expert@gw1:0]# tcpdump -n -i eth4 udp port 7946 and dst host 192.168.80.201
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
13:34:26.232659 IP 10.10.10.21.7946 > 192.168.80.201.7946: UDP, length 58
13:34:28.232640 IP 10.10.10.21.7946 > 192.168.80.201.7946: UDP, length 58
13:34:30.232590 IP 10.10.10.21.7946 > 192.168.80.201.7946: UDP, length 58

We have no manual NAT rules for these hosts - only automatic static NAT.

My question is why it differs between TCP and UDP (and how to fix it)?

Regards

Mirek

0 Kudos
4 Replies
_Val_
Admin
Admin

Please run fw monitor for both cases and re-post the results, thanks

0 Kudos
CheckMate-R77
Contributor

Thank You very much for your precious hint. It seems like hostA admin did something weird.

I think we may close this topic.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is no SR# that is opened or closed, this is a post in a discussion. As you do not give any details, it does not help the community at all.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
_Val_
Admin
Admin

I agree with @G_W_Albrecht. It is better to explain your findings here, otherwise, what's the point?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events