Tag Archives: NAT

Windows Server 2008 / IIS 7.5: client source port logging

Posted on by Pier Carlo Chiodi
No Comments

Many countermeasures taken by ISPs to face IPv4 exhaustion (DS-Lite, NAT64, NAT44, CGN) need more than the old IP-address/timestamp couple to uniquely identify an end-user on Internet. Even with a full logging of activities and sessions an ISP can’t trace a specific user if no source TCP/UDP port is given. So content providers, whether large or small, need to enable clients source port logging; it doesn’t matter if they run an enormous e-commerce website or a small blog like this, if they want to provide Law Enforcement Agencies (LEAs) a set of information capable of uniquely trace a user they need client source port logging.

Many software products have simple builtin configuration commands to accomplish this task, here I write how to enable this feature under Microsoft Windows Server 2008 R2 – IIS 7.5.

Advanced Logging IIS extension

The IIS builtin logging module doesn’t allow client source port logging, so an extension is needed: Advanced Logging. Once installed a new icon appears in the IIS Management Console:

IIS Advanced Logging icon

IIS Advanced Logging icon

Enable client port logging

Configuration can be done at any level: global, web site, directory. Open the Advanced Logging icon then, in the Actions pane, click Enable Advanced Logging. Once enabled the feature you just need to add the client port to the list of logged fields: always from the Action pane click Edit Logging Fields, then the Add field button and use the following data:

Field ID: Client-IP
Source type: Server variables
Source name: REMOTE_PORT

Hit the OK button a couple of time and go back to the main window, where you find the default log definition named %COMPUTERNAME%-Server; double click it in order to open details then select your logging preferences, being careful to add the Client-IP field ID to the list of the selected ones (from the Selected Fields section click the Select Fields button and check it).

After you have done some activity on your web site you can check the log content clicking View log files from the Actions pane; client port will be there somewhere, depending on the fields sequence you have on the log definition Selected Fields list.

Categories: Systems Administration | Tags: , , , , , ,

sudppipe: a simple UDP proxy / port forwarder

Posted on by Pier Carlo Chiodi
2 Comments

I spent long time on Google looking for a simple Windows utility which let me take UPD packets on a host and forward them to another, and back. How to call it? A proxy? A port forwarder? Not a tunnel… A datapipe? A NAT or NAPT software? Well, yes, I’m listing here all the keywords I used to search it!

Something like this:

CLIENT -> HOST_A (proxy) -> HOST_B (real server)

Finally I found sudppipe, by Luigi Auriemma, and I want to share it, with the hope this post could raise its visibility and lower others’ search time.

Here is the author’s description:

advanced UDP proxy/datapipe/packets forwarder and modifier with multiple functions.
a datapipe is like a minimalistic proxy which acts as a bridge for connecting to a specific host, so the input connection can be any UDP client while the output is ever the same IP:port (clients->stcppipe->target).
it supports multiple clients allowed, creation of tcpdump capture files (like a sniffer), packets forwarding (chat style, each packet is forwarded to all the other clients and server connected), packets injection (the tool opens a specific UDP port to which is possible to send the customized packets that will be sent to the server), support for multiple target hosts plus some interesting options for controlling the outgoing sockets, hexadecimal visualization and plugins support for the modification and visualization of the packets (supports also the mysendto and myrecvfrom functions of the plugins of Proxocket).
in the package there are also some example plugins: Zdaemon huffman, Doom huffman, Half-life decoding and one for the replacement of the text strings.
the plugins (which work on both Windows and Linux) are very basic to create and use, just take a look at example_sudp.c for more informations.

Thanks Luigi! 😉

Categories: Networking, Systems Administration | Tags: , , , ,

Cisco “clear ip nat translation” helper tool

Posted on by Pier Carlo Chiodi
8 Comments

Have you ever had to clear some specific NAT translations while avoiding to drop them all? You have to enter a long and annoying command such this a lot of times:

clear ip nat translation udp inside 1.2.3.4 7021 192.168.0.112 7021 outside 5.6.7.8 5060 5.6.7.8 5060

And you know, you have to do it many times, for every NAT entry you have to clear… and those entries are all there, within a single command output:

#show ip nat translations | inc 192.168.0.112
udp 1.2.3.4:7021     192.168.0.112:7021    5.6.7.8:5060    5.6.7.8:5060
udp 1.2.3.4:7022     192.168.0.112:7022    5.6.7.8:5060    5.6.7.8:5060

Well, I was bored once too often, so I’ve built a little tool: you have just to copy show ip nat translations entries you have to clear, paste them into this tool, and it builds the clear ip nat translation statements for you! ready to be pasted into your telnet/ssh client.

It’s an HTML page with a simple javascript; you can find it online, or here is the source code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
	"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Cisco "clear ip nat translation" helper</title>
<style type="text/css">
	body,td,th { color:black;font-family:Verdana; font-size: 8pt }
	input, textarea { color:black;font-family:Verdana; font-size: 8pt }
</style>

<script type="text/javascript">
	function Do()
	{
		var sEntries = new String();
		sEntries = document.forms['frmMain'].entries.value;

		var sVRF = new String();
		sVRF = document.forms['frmMain'].vrf.value;

		var sReplace;
		if ( sVRF == '' )
			sReplace = "clear ip nat translation $1 inside $2 $3 $4 $5 outside $6 $7 $8 $9"
		else
			sReplace = "clear ip nat translation vrf " + sVRF + " $1 inside $2 $3 $4 $5 outside $6 $7 $8 $9";

		sEntries = sEntries.replace(/^(tcp|udp)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)s+(d{1,3}.d{1,3}.d{1,3}.d{1,3}):(d+)/gm, sReplace)

		document.forms['frmMain'].result.value = sEntries;
	}
</script>

</head>

<body>

<form id=frmMain name=frmMain style="MARGIN:0px" action="#">
<table>
 <tr>
  <td colspan=2><b>Entries to clear</b></td>
 </tr>
 <tr>
  <td colspan=2>

Paste here the <b>show ip nat translations</b> entries you want to clear:

  </td>
 </tr>
 <tr>
  <td colspan=2><textarea wrap=off style="white-space:pre; overflow-x: scroll; overflow-y: scroll" name=entries id=entries cols=100 rows=10></textarea></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2><b>VRF aware?</b></td>
 </tr>
 <tr>
  <td colspan=2>

If these entries are part of a vrf, write here the vrf name, otherwise leave this box empty:

  </td>
 </tr>
 <tr>
  <td><b>VRF name:</b></td>
  <td><input type=text name=vrf id=vrf size=15 value=""></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2><b>Results</b></td>
 </tr>
 <tr>
  <td colspan=2><textarea wrap=off style="white-space:pre; overflow-x: scroll; overflow-y: scroll; WIDTH:99%" readonly name=result id=result cols=100 rows=10></textarea></td>
 </tr>

 <tr>
  <td colspan=2><br></td>
 </tr>

 <tr>
  <td colspan=2 align=center><input type=button onclick="Do()" value="  Build clear ip nat translation statements  "></td>
 </tr>

</table>
</form>

<br>

by Pier Carlo Chiodi - AKA Pierky<br>
<br>
Blog: <a href="http://blog.pierky.com" target="_blank">http://blog.pierky.com</a><br>
Contact me: <a href="http://piercarlochiodi.tel" target="_blank">http://piercarlochiodi.tel</a><br>

</body>
</html>
Categories: Networking | Tags: , ,