Приветствую честной народ.Помогите распутаться с проблемой. Есть проблема с трансляцией следующего толка:
Нужно чтобы из внешнего мира по этому адресу "ISP1.AAA.AAA.AA2" виделась машинка
172.16.1.29. Проблема в том что помимо трансляции inside local-inside global нужно еще транслировать outside src адрес, ибо в сети 172.16.1.0 есть свой аплинк с дефолт гейтом на него. Поэтому нужно замаскарадить такие пакеты адресом с интерфейса G0/1.
Вроде все сделал как полагается, но хотя акцесс лист 101 ловит матчи, outside source трансляции не происходит.
вот что говорит "show access-list 101"
------------
Extended IP access list 101
10 permit ip any host ISP1.AAA.AAA.AA2 (44 matches)
-------------
при этом вот выдержка из "show ip nat stat"
------------------
-- Outside Source
[Id: 5] access-list 101 interface GigabitEthernet0/1 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
----------------
Поможите, а то я уже окончательно не понимаю почему не срабатывает трансляция
ip nat outside source list 101 interface GigabitEthernet0/1
Конфиг прилагаю:
-------------------------------
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2851
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxx
enable password xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
!
aaa session-id common
!
!
ip cef
!
!
no ip domain lookup
ip domain name xxxxxxxxx.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-server 10.0.0.2
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 1024
ip pmtu
ip mtu adjust
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root privilege 15 password xxxxxxxxx
archive
log config
hidekeys
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map GEN-POLICY
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description LAN_TO_LAN2
ip address 172.16.1.2 255.255.255.224
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1/0
description UPLINK-ISP1
ip address ISP1.AAA.AAA.AA0 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
description UPLINK-ISP2
ip address ISP2.BBB.BBB.BB0 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
autodetect encapsulation ppp
peer default ip address dhcp
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap-v2 callin
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ISP1.AAA.AAA.AA9 10
ip route 0.0.0.0 0.0.0.0 ISP2.BBB.BBB.BB9 50
ip route 192.168.193.0 255.255.255.0 10.0.0.254
ip route 192.168.200.0 255.255.255.0 10.0.0.254
ip route 192.168.212.0 255.255.255.0 172.16.1.1
!
!
no ip http server
no ip http secure-server
ip nat pool MAIL1-POOL ISP1.AAA.AAA.AA1 ISP1.AAA.AAA.AA1 prefix-length 24
ip nat pool FTP1-POOL ISP1.AAA.AAA.AA2 ISP1.AAA.AAA.AA2 prefix-length 24
ip nat inside source route-map ISP1-NAT interface FastEthernet0/1/0 overload
ip nat inside source route-map FTP1-NAT pool FTP1-POOL overload
ip nat inside source route-map MAIL1-NAT pool MAIL1-POOL overload
ip nat inside source route-map ISP2-NAT interface FastEthernet0/3/0 overload
ip nat inside source static tcp 10.0.0.10 20 ISP1.AAA.AAA.AA1 20 extendable
ip nat inside source static tcp 10.0.0.10 21 ISP1.AAA.AAA.AA1 21 extendable
ip nat inside source static tcp 10.0.0.2 25 ISP1.AAA.AAA.AA1 25 extendable
ip nat inside source static tcp 10.0.0.7 443 ISP1.AAA.AAA.AA1 443 extendable
ip nat inside source static 172.16.1.29 ISP1.AAA.AAA.AA2
ip nat inside source static tcp 10.0.0.10 20 ISP2.BBB.BBB.BB0 20 extendable
ip nat inside source static tcp 10.0.0.10 21 ISP2.BBB.BBB.BB0 21 extendable
ip nat inside source static tcp 10.0.0.2 25 ISP2.BBB.BBB.BB0 25 extendable
ip nat inside source static tcp 10.0.0.7 443 ISP2.BBB.BBB.BB0 443 extendable
ip nat outside source list 101 interface GigabitEthernet0/1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 172.16.1.29
access-list 101 permit ip any host ISP1.AAA.AAA.AA2
access-list 102 permit tcp any host ZZZ.ZZZ.ZZZ.ZZZ eq 22
access-list 103 permit tcp host 10.0.0.2 any eq smtp
access-list 104 permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
!
!
route-map FTP1-NAT permit 10
match ip address 2
match interface FastEthernet0/1/0
!
route-map MAIL1-NAT permit 10
match ip address 103
match interface FastEthernet0/1/0
!
route-map GEN-POLICY permit 5
match ip address 102
set ip next-hop ISP2.BBB.BBB.GW
!
route-map ISP2-NAT permit 10
match ip address 1
match interface FastEthernet0/3/0
!
route-map ISP1-NAT deny 5
match ip address 102
!
route-map ISP1-NAT deny 6
match ip address 103
!
route-map ISP1-NAT deny 7
match ip address 104
!
route-map ISP1-NAT permit 10
match ip address 1
match interface FastEthernet0/1/0
!
!
!
radius-server configure-nas
radius-server host 10.0.0.2 auth-port 1645 acct-port 1646
radius-server key xxxxxxx
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxx
transport input ssh
!
scheduler allocate 20000 1000
!
end
Версия для распечатки
Непонятки с nat outside source трансляцией., 
zugunder, 29-Фев-08, 00:28 [смотреть все]
