Есть cisco 3620:
fa 1/0 - смотрит в другую циску (3725, ip 10.1.2.1), с которой идут пользователи с адресами 10.1.3.х
Serial1/0:0 - смотрит в интернет, куда этих пользователей надо выпустить через НАТ.Вроде все стандартно:
interface FastEthernet1/0
description To Local
ip address 10.1.2.2 255.255.255.252
ip nat inside
speed 10
half-duplex
!
interface Serial1/0:0
description To Inet
ip address 94.25.10.94 255.255.255.252
ip nat outside
no fair-queue
!
ip nat inside source route-map nat_to_rt2 interface Serial1/0:0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 94.25.10.93 100
ip route 10.1.3.0 255.255.255.0 10.1.2.1
no ip http server
!
access-list 100 permit ip 10.1.3.0 0.0.0.255 any log
access-list 100 deny ip any any log
no cdp run
route-map nat_to_rt2 permit 10
match ip address 100Но не работает: с пользователя пингуется 94.25.10.94, но не дальше, т.е. уже 94.25.10.93 недоступен.
Команда
sh ip nat tr
показывает пустую таблицу трансляций.Пробовал вариант:
route-map nat_to_rt2 permit 10
match ip address 100
set ip default next-hop 94.25.10.93Результат тот же. :(
Немножко диагностики:
c3620#sh access-lists
Extended IP access list 100
permit ip 10.1.3.0 0.0.0.255 any log
deny ip any any log (560 matches)c3620#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 243 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 374 message lines loggedLog Buffer (4096 bytes):
*Mar 2 12:19:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 210.55.78.120(0), 1 packet
*Mar 2 12:21:52 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:21:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.145.89(0), 3 packets
*Mar 2 12:22:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.6.238(0), 3 packets
*Mar 2 12:23:19 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 200.87.106.34(0), 1 packet
*Mar 2 12:23:40 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 87.226.191.1(0), 1 packet
*Mar 2 12:24:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.136.153(0), 3 packets
*Mar 2 12:25:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 210.55.78.120(0), 4 packets
*Mar 2 12:26:34 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:26:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.145.89(0), 3 packets
*Mar 2 12:27:05 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:27:47 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 94.25.10.94 (0/0), 1 packet
*Mar 2 12:27:49 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 94.25.10.93 (0/0), 1 packet
*Mar 2 12:28:00 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 195.54.2.1 (0/0), 1 packet
*Mar 2 12:28:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 87.226.191.1(0), 35 packets
*Mar 2 12:28:58 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 85.113.253.126 (0/0), 1 packet
*Mar 2 12:29:34 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:30:42 CHE: %SEC-6-IPACCESSLOGP: list 100 denied udp 94.25.10.94(0) -> 87.226.191.5(0), 1 packet
*Mar 2 12:31:00 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.2.218(0), 1 packet
*Mar 2 12:31:01 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:31:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.145.89(0), 3 packets
*Mar 2 12:32:01 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 2 12:32:57 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 94.25.10.93 (0/0), 4 packets
*Mar 2 12:33:57 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 195.54.2.1 (0/0), 4 packets
*Mar 2 12:34:57 CHE: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 94.25.10.94 -> 85.113.253.126 (0/0), 1 packet
*Mar 2 12:35:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied udp 94.25.10.94(0) -> 87.226.191.5(0), 4 packets
*Mar 2 12:36:57 CHE: %SEC-6-IPACCESSLOGP: list 100 denied tcp 94.25.10.94(0) -> 94.25.145.89(0), 3 packets
*Mar 2 12:39:05 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)Прочитал несколько веток форума по этой теме. Вроде все так, но... Подскажите - чего не учел? Заранее благодарен за советы.
Попробовал добавить в acl еще правило:access-list 100 permit ip 10.1.3.0 0.0.0.255 any log
access-list 100 permit ip host 94.25.10.94 any log
access-list 100 deny ip any any logРезультат тот же.
Диагностика:c3620#sh access-l
Extended IP access list 100
permit ip 10.1.3.0 0.0.0.255 any log
permit ip host 94.25.10.94 any log (14 matches)
deny ip any any log
c3620#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 657 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 788 message lines loggedLog Buffer (4096 bytes):
*Mar 2 23:10:17 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 94.25.2.218(0), 1 packet
*Mar 2 23:11:15 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 87.226.191.1(0), 2 packets
*Mar 2 23:11:28 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 94.25.6.238(0), 1 packet
Попробовал совсем уже формальную вещь:c3620(config)#no access-list 100
c3620(config)#access-list 100 permit ip any any logс тем же результатом:
c3620#sh access-list 100
Extended IP access list 100
permit ip any any log (2 matches)
c3620#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 843 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 974 message lines loggedLog Buffer (4096 bytes):
*Mar 3 06:26:59 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted udp 94.25.10.94(0) -> 87.226.191.5(0), 1 packet
*Mar 3 06:27:56 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 218.60.133.115(0), 1 packet
Таблица трансляций НАТа какая-то странная:c3620#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
udp 94.25.10.94:123 94.25.10.94:123 87.226.191.5:123 87.226.191.5:123
tcp 94.25.10.94:39440 94.25.10.94:39440 218.60.133.115:7000 218.60.133.115:7000Ну где я туплю? :(
Кажется еще надо указать ip nat pool
Что то типа
ip nat pool Test 94.25.10.94 94.25.10.94 netmask 255.255.255.252Я когда настраивал нат на циске никаких проблем не возникало. Могу выложить конфиг если интересно.
Еще попробуй просто
ip nat inside source 100 interface Serial1/0:0 overload
Да и в акцесс лист еще запихнуть на всякий случай 10.1.2.2 255.255.255.252
И для проверки можно вот это включить
ip nat log translations syslog
>Еще попробуй просто
>ip nat inside source 100 interface Serial1/0:0 overload
>Да и в акцесс лист еще запихнуть на всякий случай 10.1.2.2 255.255.255.252
>
>И для проверки можно вот это включить
>ip nat log translations syslogакцесс лист сделал вовсе фиктивный:
access-list 100 permit ip any any log
конфиг получился такой:
interface FastEthernet1/0
description To Local
ip address 10.1.2.2 255.255.255.0
ip nat inside
speed 10
half-duplex
!
interface Serial1/0:0
description To Rostelecom
ip address 94.25.10.94 255.255.255.252
no ip proxy-arp
ip nat outside
no fair-queue
!
ip nat log translations syslog
ip nat pool Test 94.25.10.94 94.25.10.94 netmask 255.255.255.252
ip nat inside source list 100 pool Test overload
ip classless
ip route 0.0.0.0 0.0.0.0 94.25.10.93 100
ip route 10.1.3.0 255.255.255.0 10.1.2.1
no ip http server
!
access-list 100 permit ip any any log
И все равно не работает :(c3620#clear log
Clear logging buffer [confirm]y
c3620#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 940 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 1065 message lines loggedLog Buffer (4096 bytes):
*Mar 3 08:53:32 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 94.25.136.153(0), 1 packet
*Mar 3 08:54:15 CHE: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 94.25.10.94(0) -> 125.76.244.39(0), 1 packet
*Mar 3 08:54:15 CHE: %IPNAT-6-NAT_CREATED: Created tcp 94.25.10.94:39440 94.25.10.94:39440 125.76.244.39:5810 125.76.244.39:5810
c3620#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
udp 94.25.10.94:123 94.25.10.94:123 87.226.191.5:123 87.226.191.5:123
tcp 94.25.10.94:135 94.25.10.94:135 94.25.136.153:26929 94.25.136.153:26929
tcp 94.25.10.94:135 94.25.10.94:135 94.25.2.218:3828 94.25.2.218:3828
tcp 94.25.10.94:39440 94.25.10.94:39440 125.76.244.39:5810 125.76.244.39:5810
tcp 94.25.10.94:135 94.25.10.94:135 94.21.37.213:3727 94.21.37.213:3727
tcp 94.25.10.94:445 94.25.10.94:445 189.3.167.100:3908 189.3.167.100:3908
tcp 94.25.10.94:135 94.25.10.94:135 94.25.136.153:59313 94.25.136.153:59313
А посмотреть на конфиг кошки 3725 можно? ;)
>А посмотреть на конфиг кошки 3725 можно? ;)Можно. Ниже привожу его.
Поясню вкраце: кошка 3725 терминирует pptp-сессии клиентов, выдает им адреса вида 10.1.3.ххх и отправляет на 3620 (10.1.2.2) через интерфейс:
interface FastEthernet0/1
ip address 10.1.2.1 255.255.255.252
duplex auto
speed autoОстальное - это тоже терминация pptp-сессий с выдачей:
- либо реальных адресов для выхода в инет через Loopback1 или FastEthernet0/0
- либо адресов вида 10.1.1.ххх для выхода в инет через НАТ на этой же кошке 3725.
Ну и немножко диалапа. :)Собственно конфиг:
Current configuration : 7268 bytes
!
! Last configuration change at 20:07:45 CHE Thu Dec 11 2008 by andrei
! NVRAM config last updated at 20:08:37 CHE Thu Dec 11 2008 by andrei
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
service compress-config
no service dhcp
!
hostname C3725
!
boot-start-marker
boot system flash:c3725-advipservicesk9-mz.124-17.bin
boot-end-marker
!
logging buffered 16384 debugging
no logging console
!
aaa new-model
!
!
aaa group server radius rad_pptp
server-private 87.226.191.5 auth-port 1812 acct-port 1813 key 7 ххххххх
ip radius source-interface FastEthernet0/0
!
aaa group server radius rad_dialup
server-private 87.226.191.5 auth-port 1812 acct-port 1813 key 7 ххххххх
ip radius source-interface FastEthernet0/0
!
aaa authentication banner ^C^C
aaa authentication login default local
aaa authentication ppp PPTP group rad_pptp
aaa authentication ppp DIALUP group rad_dialup
aaa authorization exec default local
aaa authorization network PPTP group rad_pptp
aaa authorization network DIALUP group rad_dialup
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network PPTP start-stop group rad_pptp
aaa accounting network DIALUP start-stop group rad_dialup
!
aaa session-id common
memory-size iomem 25
clock timezone CHE 5
clock summer-time CHE recurring last Sun Mar 2:00 last Sun Oct 3:00
modem call-record terse
modem country mica russia
no ip subnet-zero
ip cef
!
!
!
!
ip name-server 87.226.191.1
virtual-profile if-needed
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
isdn switch-type primary-net5
!
modemcap entry mica-v90v2:MSC=&F&D2S10=100S32=3S39=10S40=0S52=0
modemcap entry mica-NO56FLEX:MSC=&F&D2S10=50S39=15S52=0
modemcap entry mica-V90:MSC=&F&D2S0=3S10=100S16=200S17=200S19=100S32=3S34=15000S39=4S40=12S54=172
modemcap entry mica-V34:MSC=&F&D2S29=1:TPL=MSC\:&F1
modemcap entry mica-1:MSC=&F&D2S34=18000S40=100S53=0S54=456S10=50debugthismodemS71=4
modemcap entry mica-V90v3:MSC=&F&D2S0=0S20=64S34=8000S35=500S40=100S32=3S53=0S39=0S59=0
modemcap entry line
!
!
!
!
!
!
!
!
!
!
!
!
!
username al password 7 ххх
username andrei privilege 15 password 7 ххх
!
!
controller E1 1/0
framing NO-CRC4
pri-group timeslots 1-31
description "To ACK UNIT"
!
!
class-map match-all unlimited_to_rt_day
match access-group name unlimited_to_rt_day
class-map match-all unlimited_to_rt_night
match access-group name unlimited_to_rt_night
class-map match-all unlimited_128K_to_rt
match access-group name unlimited_128K_to_rt
!
!
policy-map inet
class unlimited_to_rt_day
police 1024000 192000 384000 conform-action transmit exceed-action drop
class unlimited_to_rt_night
police 1945500 364800 729600 conform-action transmit exceed-action drop
class unlimited_128K_to_rt
police 128000 24000 48000 conform-action transmit exceed-action drop
!
!
no crypto isakmp enable
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Loopback1
ip address 212.57.158.17 255.255.255.0
ip route-cache same-interface
!
interface FastEthernet0/0
bandwidth 4096
ip address 87.226.191.6 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
max-reserved-bandwidth 100
service-policy input inet
hold-queue 4096 in
hold-queue 4096 out
!
interface FastEthernet0/1
ip address 10.1.2.1 255.255.255.252
duplex auto
speed auto
!
interface Serial1/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice modem 64
isdn calling-number 52277
no cdp enable
!
interface Virtual-Template1
description PPTP VPN template interface
ip unnumbered Loopback1
no ip redirects
no ip proxy-arp
ip policy route-map to_rt2
no logging event link-status
autodetect encapsulation ppp
peer default ip address pool to_rtk
ppp authentication pap chap callin PPTP
ppp authorization PPTP
ppp accounting PPTP
ppp ipcp dns 87.226.191.1
!
interface Group-Async0
ip unnumbered FastEthernet0/0
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
encapsulation ppp
no logging event link-status
autodetect encapsulation ppp
async mode interactive
peer default ip address pool to_rtk
ppp authentication pap chap callin DIALUP
ppp authorization DIALUP
ppp accounting DIALUP
group-range 65 94
!
ip local pool for_nat 10.1.1.2 10.1.1.254
ip local pool to_usi 212.57.158.18 212.57.158.30 group to_usi
ip local pool to_usi 212.57.158.41 212.57.158.54 group to_usi
ip local pool to_rtk 87.226.191.38 87.226.191.62
ip local pool 128K_to_rtk 87.226.191.33 87.226.191.37
ip local pool nat_to_rt2 10.1.3.10 10.1.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.226.191.5 100
!
!
no ip http server
no ip http secure-server
ip nat translation max-entries 60000
ip nat translation max-entries all-host 300
ip nat inside source route-map nonat1 interface FastEthernet0/0 overload
!
ip access-list extended unlimited_128K_to_rt
permit ip any host 87.226.191.33
permit ip any host 87.226.191.34
permit ip any host 87.226.191.35
permit ip any host 87.226.191.36
permit ip any host 87.226.191.37
deny ip any any
ip access-list extended unlimited_to_rt_day
permit ip any host 87.226.191.6 time-range unlim_day
deny ip any any
ip access-list extended unlimited_to_rt_night
permit ip any host 87.226.191.6 time-range unlim_night
deny ip any any
!
logging history size 500
logging history debugging
logging source-interface FastEthernet0/0
logging 87.226.191.5
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 10 permit 87.226.191.5
access-list 10 permit 212.57.158.1
access-list 10 deny any
access-list 99 permit 87.226.191.0 0.0.0.255
access-list 99 permit 212.57.158.0 0.0.0.255
access-list 99 deny any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 deny ip any any
snmp-server community public RO 10
snmp-server enable traps tty
no cdp run
!
route-map nonat1 permit 10
match ip address 100
!
route-map to_rt2 permit 10
match ip address 1
set ip next-hop 10.1.2.2
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
WARNING: 1. Access to this device or the attached networks
is prohibited without express written permission.
2. Any unauthorized use of the system is unlawful,
and may be subject to civil or criminal penalties.
3. Any use of the system may be logged or monitored
without further notice, and the resulting logs
may be used as evidence in court.
^C
!
line con 0
exec-timeout 0 0
line 65 94
no flush-at-activation
modem Dialin
modem autoconfigure type mica-1
exec-character-bits 8
special-character-bits 8
transport preferred none
transport input all
autoselect during-login
autoselect ppp
no ip tcp input-coalesce-threshold
line aux 0
line vty 0 4
access-class 99 in
exec-timeout 0 0
!
ntp clock-period 17180717
ntp server 87.226.191.5
time-range unlim_day
periodic weekdays 8:00 to 18:30
!
time-range unlim_night
periodic weekdays 0:01 to 8:00
periodic weekend 0:01 to 23:59
periodic weekdays 18:30 to 23:59
!
!
end
>Еще попробуй просто
>ip nat inside source 100 interface Serial1/0:0 overload
>Да и в акцесс лист еще запихнуть на всякий случай 10.1.2.2 255.255.255.252
>
>И для проверки можно вот это включить
>ip nat log translations syslogВсе так и сделал. Результат - тот же :(
c3620#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c3620(config)#ip nat log translations syslog
c3620(config)#^Z
c3620#sh log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 1324 messages logged
Logging Exception size (4096 bytes)
Trap logging: level informational, 1401 message lines loggedLog Buffer (4096 bytes):
*Mar 3 21:52:03 CHE: NAT: expiring 94.25.10.94 (94.25.10.94)
*Mar 3 21:52:09 CHE: %SYS-5-CONFIG_I: Configured from console by andrei on vty0 (10.1.2.1)
*Mar 3 21:52:20 CHE: %IPNAT-6-NAT_CREATED: Created ? 94.25.10.94:0 94.25.10.94:0 0.0.0.0:0 0.0.0.0:0
Еще если возможно, попробуй подключиться непосредственно в порт FastEthernet1/0 с адресом 10.1.2.1Я настраивал вот так у себя:
Cisco 7206
Правда тут с использованием VRF, но не суть.ip vrf Test
rd xxxx:8
route-target export xxxx:8
route-target import xxxx:8interface FastEthernet0/0.3
description Client 3
encapsulation dot1Q 3
ip vrf forwarding Test
ip address 3.3.3.1 255.255.255.252
ip nat inside
no snmp trap link-statusinterface FastEthernet0/0.1017
description Uplink
encapsulation dot1Q 1017
ip address 333.114.179.179 255.255.255.248
ip nat outside
no snmp trap link-statusip nat log translations syslog
ip nat pool Test 111.222.333.9 111.222.333.9 netmask 255.255.255.252ip nat inside source list 8 pool Test vrf Test overload
ip route 0.0.0.0 0.0.0.0 333.114.179.177
ip route 111.222.333.8 255.255.255.248 Null0 100
ip route vrf Test 0.0.0.0 0.0.0.0 FastEthernet0/0.1017 333.114.179.177access-list 8 permit 3.3.3.0 0.0.0.3
Рабочий вариант получился такой:
(без 110-го acl-я почему-то не работало)
interface FastEthernet1/0
description To Local
ip address 10.1.2.2 255.255.255.252
ip nat inside
speed 10
half-duplex
!
interface Serial1/0:0
description To Rostelecom
ip address 94.25.10.94 255.255.255.252
ip access-group 110 out
no ip proxy-arp
ip nat outside
no fair-queue
!
ip nat log translations syslog
ip nat translation max-entries 60000
ip nat pool to_rt2 94.25.10.94 94.25.10.94 netmask 255.255.255.252
ip nat inside source list 100 pool to_rt2 overload
ip classless
ip route 0.0.0.0 0.0.0.0 94.25.10.93 100
ip route 10.1.3.0 255.255.255.0 10.1.2.1
no ip http server
!
access-list 100 permit ip 10.1.3.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 110 deny ip 10.1.3.0 0.0.0.255 any
access-list 110 permit ip any any
Еще напасть:
начиная с какого-то момента начинает расти загрузка проца и убывать свободная процессорная память. Вижу -начинает циска "проседать", трафик проходит с трудом.c3620#sh proc cpu s | e 0.0
CPU utilization for five seconds: 99%/20%; one minute: 97%; five minutes: 80%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
33 24658672 2666750 9246 77.27% 67.83% 54.75% 0 IP Input
105 967236 2102566 460 2.33% 6.60% 5.09% 0 IP NAT Agerсделал
clear ip nat tr *
получил
c3620#sh proc cpu s | e 0.00
CPU utilization for five seconds: 15%/9%; one minute: 16%; five minutes: 16%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
33 24939828 2738169 9108 5.98% 5.94% 6.29% 0 IP Input
105 988196 2155644 458 0.24% 0.23% 0.43% 0 IP NAT Agerc3620#sh ip nat stat
Total active translations: 1676 (0 static, 1676 dynamic; 1675 extended)
Outside interfaces:
Serial1/0:0
Inside interfaces:
FastEthernet1/0
Hits: 30863206 Misses: 1044654
Expired translations: 995813
Dynamic mappings:
-- Inside Source
[Id: 10] access-list 100 interface Serial1/0:0 refcount 1676c3620#sh mem
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 620369C0 16553536 5947692 10605844 6819036 6746252
I/O 3000000 16777216 1767064 15010152 14933040 14914428Памяти, как видите, немного. Каким размеров таблицы НАТ-трансляций целесообразно ограничиться? Сейчас:
ip nat translation max-entries 60000
Учитывая http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=5Theoretically, there is no limit on the number of mappings that the NAT table can hold. Practically, memory and CPU or the boundaries of the available addresses or ports place a limit on the number of entries. Each NAT mapping uses approximately 160 bytes of memory. In the rare case where the entries must be limited either for performance or policy reasons, you can use the ip nat translation max-entries command.
Получается 60 тыс. записей по 160 байт - это 9,6 Мбайт памяти. Или много?
Или еще что-то влияет на такой рост загрузки проца?
IOS - c3620-ik8o3s-mz.122-13.bin
Трафика - всего 2 Мбит/сек.
Так Вы ограничили количество, а попробуйте еще ограничить время жизни трансляции, к примеру равно 45 мин, и тогда посмотрите что у Вас получится.PS: Дефолтное время трансляции 24 часа, видать оно и забивает таблицу.
Удачи.
>Так Вы ограничили количество, а попробуйте еще ограничить время жизни трансляции, к
>примеру равно 45 мин, и тогда посмотрите что у Вас получится.Поставил 1 час для начала.
ip nat tr timeout 3600
Так?
Т.е. через час неактивные строки из таблицы трансляции будут вычищены автоматически? Как это повлияет на работу юзеров, сидящих за натом?
Никак не повлияет.Вот дефолтное время транляций,
Defaults
timeout: 86,400 seconds (24 hours)
udp-timeout: 300 seconds (5 minutes)
dns-timeout: 60 seconds (1 minute)
tcp-timeout: 86,400 seconds (24 hours)
finrst-timeout: 60 seconds (1 minute)
icmp-timeout: 60 seconds (1 minute)
pptp-timeout: 86,400 seconds (24 hours)
syn-timeout: 60 seconds (1 minute)
>Вот дефолтное время транляций,Дефолтовые значения знаю. :)
Вобщем, на сколько я понял, надо играться с двумя параметрами:ip nat translation timeout 900
ip nat translation max-entries 25000Сейчас при трафике 124.4 kKbytes/sec:
c3620#sh ip nat st
Total active translations: 20471 (0 static, 20471 dynamic; 20470 extended)
Outside interfaces:
Serial1/0:0
Inside interfaces:
FastEthernet1/0
Hits: 41647408 Misses: 1421079
Expired translations: 1353102
Dynamic mappings:
-- Inside Source
[Id: 10] access-list 100 interface Serial1/0:0 refcount 20471
c3620#sh proc cpu s | e 0.00
CPU utilization for five seconds: 61%/10%; one minute: 67%; five minutes: 66%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
33 35148660 3684487 9539 50.90% 55.13% 53.91% 0 IP Input
105 1271252 2886453 440 0.62% 0.41% 0.46% 0 IP NAT Ager
3 24936 3297 7563 0.23% 0.02% 0.10% 66 Virtual ExecЧет как-то многовато мне кажется...
>>Вот дефолтное время транляций,
>
>Дефолтовые значения знаю. :)
>Вобщем, на сколько я понял, надо играться с двумя параметрами:
>
>ip nat translation timeout 900
>ip nat translation max-entries 25000Через 2 часа:
c3620#sh proc cpu s | e 0.00
CPU utilization for five seconds: 99%/9%; one minute: 99%; five minutes: 98%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
33 36731948 3697691 9933 87.08% 88.93% 87.99% 0 IP Input
105 1291764 2896761 445 0.92% 0.80% 0.89% 0 IP NAT Ager
52 88436 7216 12255 0.85% 0.10% 0.06% 0 IP Cache Ager
5 287120 47059 6101 0.42% 0.10% 0.06% 0 Check heapsЦиска практически в down-е. :(
Спасло только clear ip nat tr * :(
Конфиг такой:
Current configuration : 2705 bytes
!
version 12.2
service nagle
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
service compress-config
no service dhcp
!
hostname "c3620"
!
boot system flash:c3620-ik8o3s-mz.122-13.bin
logging buffered 4096 debugging
no logging console
aaa new-model
aaa authentication banner ^C^C
aaa authentication login default local-case
aaa authorization exec default local
!
username andrei privilege 15 password 7 ххх
username al password 7 ххх
memory-size iomem 25
clock timezone CHE 5
clock summer-time CHE recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server 87.226.191.1
!
ip audit notify log
ip audit po max-events 100
!
isdn switch-type primary-net5
call rsvp-sync
!
!
!
!
!
!
controller E1 1/0
framing NO-CRC4
channel-group 0 timeslots 1-31
description To Rostelecom
!
controller E1 1/1
shutdown
!
!
!
interface FastEthernet1/0
description To Local
ip address 10.1.2.2 255.255.255.252
ip nat inside
speed 10
half-duplex
hold-queue 4096 in
hold-queue 4096 out
!
interface Serial1/0:0
description To Rostelecom
ip address 94.25.10.94 255.255.255.252
ip access-group 110 out
ip verify unicast reverse-path
no ip proxy-arp
ip nat outside
no fair-queue
hold-queue 4096 in
hold-queue 4096 out
!
ip nat translation timeout 600
ip nat translation max-entries 15000
ip nat inside source list 100 interface Serial1/0:0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 94.25.10.93 100
ip route 10.1.3.0 255.255.255.0 10.1.2.1
no ip http server
!
access-list 10 remark ACL for SNMP
access-list 10 permit 87.226.191.1
access-list 10 deny any
access-list 100 permit ip 10.1.3.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 110 deny ip 10.1.3.0 0.0.0.255 any
access-list 110 permit ip any any
no cdp run
snmp-server community public RO 10
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
****************************************************************
ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY
DISCONNECT IMMEDIATELY IF YOU ARE NOT
- This is a privately owned networking system. Access is
only authorized by employees or agents of the company.
- This system is equipped with a security system intended
to prevent and record all unauthorized access attempts.
- Unauthorized access or use shall render the user liable
*o criminal and/or civil prosecution.
****************************************************************
^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
!
ntp clock-period 17180056
ntp server 87.226.191.5
end
Куда еще копать?
>ip nat translation timeout 600
>ip nat translation max-entries 15000Логичней наверное уменьшать таймуат, чтобы таблица быстрее циской самостоятельно подчищалась? Или наоборот - частая подчистка таблицы будет отнимать больше процессорных ресурсов, чем обработка и поиск в большой таблице НАТа?