Jump to content
Калькуляторы

Cisco ASR 1002 как брас с pppoe и NAT

Всем привет.

Форумчане, помогите пожалуйста с настройкой NAT для pppoe сессий.

Для теста сделал некоторые настройки, но трансляция не работает:

Вот кусок конфига:

Spoiler

ip dhcp pool Smart_ST_NAT
 network 15.16.44.0 255.255.255.0
 dns-server xx.xx.xx.xx

.

.

.

interface TenGigabitEthernet0/1/0.844  //по этому влану приходят pppoe запросы
 description test router bras
 encapsulation dot1Q 844
 ip nat inside
 pppoe enable group smart-test
 pppoe max-sessions 1000

.

.

.

.

 interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback0
 ip access-group 191 in
 ip nat outside
 peer default ip address dhcp-pool Smart_ST
 ppp authentication chap ms-chap ms-chap-v2
 ppp ipcp dns xx.xx.xx.xx

.

.

ip nat pool Smart_ST_NAT_OUT yy.yy.yy.0  yy.yy.yy.255 (диапазон белых ip )prefix-length 24
ip nat inside source list 100 pool Smart_ST_NAT_OUT overload
ip forward-protocol nd

.

.

access-list 100 permit ip 15.16.44.0 0.0.0.255 any

 

 

Share this post


Link to post
Share on other sites

interface TenGigabitEthernet0/1/0.844 - тут nat inside не нужен....

interface Virtual-Template1 - тут нужен nat inside, а не outside

Share this post


Link to post
Share on other sites

13 minutes ago, StSphinx said:

interface TenGigabitEthernet0/1/0.844 - тут nat inside не нужен....

interface Virtual-Template1 - тут нужен nat inside, а не outside

Спасибо.

А куда вешать outside?

Share this post


Link to post
Share on other sites

Только что, Phantom Lord сказал:

Спасибо.

А куда вешать outside?

На туда, где у вас public IP в который вы будете транслировать private IP.

Share this post


Link to post
Share on other sites

1 minute ago, StSphinx said:

На туда, где у вас public IP в который вы будете транслировать private IP.

У меня 2 шт cisco asr 1002

на первой BGP, вторая (на которой делаем тест nat ) имеет дефолт рут на первую

 

Share this post


Link to post
Share on other sites

1 минуту назад, Phantom Lord сказал:

У меня 2 шт cisco asr 1002

на первой BGP, вторая (на которой делаем тест nat ) имеет дефолт рут на первую

 

Какое отношение все это имеет к настройкам NAT трансляций?

Share this post


Link to post
Share on other sites

1 минуту назад, Phantom Lord сказал:

К вопросу о outside

На коробке, где вы настраиваете NAT трансляции, должен быть интерфейс с public IP. 

Если у вас NAT будет на другой коробке, вот там и настраивайте. Вообще, каша у вас какая-то в голове, простите.

Share this post


Link to post
Share on other sites

1 hour ago, StSphinx said:

На коробке, где вы настраиваете NAT трансляции, должен быть интерфейс с public IP. 

Если у вас NAT будет на другой коробке, вот там и настраивайте. Вообще, каша у вас какая-то в голове, простите.

Благодарю. Все заработало.

Share this post


Link to post
Share on other sites

19 часов назад, StSphinx сказал:

На коробке, где вы настраиваете NAT трансляции, должен быть интерфейс с public IP. 

Если у вас NAT будет на другой коробке, вот там и настраивайте. Вообще, каша у вас какая-то в голове, простите.

Не должен но в принципе верно, должен быть интерфейс откуда пакетики улетают после трансляции.... посмотреть sh ip ro 0.0.0.0.0 например, и туда вешать аутсайд

 

Share this post


Link to post
Share on other sites

3 часа назад, myst сказал:

Не должен но в принципе верно, должен быть интерфейс откуда пакетики улетают после трансляции.... посмотреть sh ip ro 0.0.0.0.0 например, и туда вешать аутсайд

 

Согласен, ошибся. Давно дело с NAT на Cisco дел не имел.

Share this post


Link to post
Share on other sites

Подскажите, а что за записи в таблице НАТ-трансляций с 0м портом:

c7204_core#sh ip nat tr | i 172.21.43.1:
gre 188.130.171.34:0      172.21.43.1:0         91.208.134.75:0       91.208.134.75:0
...

 

Share this post


Link to post
Share on other sites

soft: asr1000rp1-advipservicesk9.02.06.01.122-33.XNF1.bin

 

И вот такая печалька при настройке темплейта для pppoe:

ASR1002_core(config-route-map)#interface Virtual-Template1
ASR1002_core(config-if)# ip policy route-map nat_to_sovintel
                              ^
% Invalid input detected at '^' marker.

Суть клиентам после авторизации выдаются ip из разных пулов, которые натятся в разных магистралов (из конфига старой циски 7204)

interface Virtual-Template1
 description PPTP VPN template interface
 ip unnumbered Loopback0
 no ip redirects
 ip nat inside
 ip flow ingress
 ip flow egress
 ip policy route-map nat_to_sovintel
 no logging event link-status
 no peer default ip address
 keepalive 30 7
 ppp authentication pap chap callin via_lb
 ppp authorization via_lb
 ppp accounting via_lb
 ppp ipcp dns xxx.xxx.xxx.xxx
...
access-list 100 permit ip 172.21.40.0 0.0.0.255 any
access-list 100 permit ip 172.21.41.0 0.0.0.255 any
access-list 102 permit ip 172.21.43.0 0.0.0.255 any
access-list 102 permit ip 172.21.42.0 0.0.0.255 any
...
ip nat inside source list 100 interface GigabitEthernet0/3.502 overload
ip nat inside source list 102 interface GigabitEthernet0/3.151 overload

Хотел воспроизвести это и на ASR 1002, а тут такой облом.
IOS менять? На какой? Или как-то иначе выкрутиться?

Share this post


Link to post
Share on other sites

asr1000rp1-adventerprisek9.03.16.10.S.155-3.S10-ext - ip policy есть в virtual template

Edited by alexmern

Share this post


Link to post
Share on other sites

Какой-нибудь bootprom не надо менять под эту ios?


ASR1002_core#sh platform
Chassis type: ASR1002

Slot      Type                State                 Insert time (ago)
--------- ------------------- --------------------- -----------------
0         ASR1002-SIP10       ok                    23:34:55
 0/0      4XGE-BUILT-IN       ok                    23:33:17
 0/1      SPA-5X1GE-V2        ok                    23:33:16
R0        ASR1002-RP1         ok, active            23:34:55
F0        ASR1000-ESP5        ok, active            23:34:55
P0        ASR1002-PWR-AC      ps, fail              23:34:04
P1        ASR1002-PWR-AC      ok                    23:34:03

Slot      CPLD Version        Firmware Version
--------- ------------------- ---------------------------------------
0         07120202            12.2(33r)XNC
R0        08011017            12.2(33r)XNC
F0        07091401            12.2(33r)XNB

Share this post


Link to post
Share on other sites

1 hour ago, Andrei said:

Какой-нибудь bootprom не надо менять под эту ios?

Скорее всего да, у меня 15.5(3r)S1 

Share this post


Link to post
Share on other sites

1 minute ago, Andrei said:

А полное имя image?

asr1000-rommon-155-3r.S1.pkg

 

Кстати, требуемый rommon есть в имени самой прошивки:
asr1000rp1-adventerprisek9.03.16.10.S.155-3.S10-ext
asr1000rp1-advipservicesk9.02.06.01.122-33.XNF1

Share this post


Link to post
Share on other sites

17 минут назад, alexmern сказал:

asr1000-rommon-155-3r.S1.pkg

Учетка на cisco.com есть, но не дает скачать - нет сервисного контракта :(

И старого на флэше тоже не видно


ASR1002_core#dir /recursive *.pkg
Directory of bootflash:/*.pkg

No such file

7860539392 bytes total (1310380032 bytes free)
ASR1002_core#dir /recursive *.bin
Directory of bootflash:/*.bin

Directory of bootflash:/

   13  -rw-   255947064  Jul 27 2010 06:30:45 +05:00  asr1000rp1-advipservicesk9.02.06.01.122-33.XNF1.bin
   12  -rw-   395094652  Feb 19 2020 20:24:57 +05:00  asr1000rp1-adventerprisek9.03.16.10.S.155-3.S10-ext.bin
7860539392 bytes total (1310375936 bytes free)

Share this post


Link to post
Share on other sites

15 часов назад, alexmern сказал:

asr1000-rommon-155-3r.S1.pkg

На сколько я понял теперь:

ASR1002_core# sh platf
Chassis type: ASR1002

Slot      Type                State                 Insert time (ago)
--------- ------------------- --------------------- -----------------
0         ASR1002-SIP10       ok                    1d01h
 0/0      4XGE-BUILT-IN       ok                    1d01h
 0/1      SPA-5X1GE-V2        ok                    1d01h
R0        ASR1002-RP1         ok, active            1d01h
F0        ASR1000-ESP5        ok, active            1d01h
P0        ASR1002-PWR-AC      ps, fail              1d01h
P1        ASR1002-PWR-AC      ok                    1d01h

Slot      CPLD Version        Firmware Version
--------- ------------------- ---------------------------------------
0         07120202            12.2(33r)XNC
R0        08011017            12.2(33r)XNC
F0        07091401            12.2(33r)XNB


upgrade rom-monitor filename bootflash:asr1000-rommon-155-3r.S1.pkg all

boot-start-marker
boot system bootflash:asr1000rp1-adventerprisek9.03.16.10.S.155-3.S10-ext.bin
boot-end-marker

 

Share this post


Link to post
Share on other sites

В 19.02.2020 в 21:49, alexmern сказал:

asr1000rp1-adventerprisek9.03.16.10.S.155-3.S10-ext

На этом IOS терминация pppoe/pptp нормально работает? Никак не могу добиться рабочей версии конфига

Авторизация через радиус проходит

Feb 21 21:57:59: ppp26 PPP: Using AAA Unique Id = 35
Feb 21 21:57:59: ppp26 PPP: Authorization required
Feb 21 21:57:59: ppp26 PPP: Using vpn set call direction
Feb 21 21:57:59: ppp26 PPP: Treating connection as a callin
Feb 21 21:57:59: ppp26 PPP: Session handle[D900001A] Session id[26]
Feb 21 21:57:59: ppp26 PPP LCP: negotiation authorized = 1, tacacs author = 0
Feb 21 21:57:59: ppp26 PPP LCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: ppp26 PPP LCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: ppp26 PPP LCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: ppp26 PPP LCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: ppp26 CHAP: O CHALLENGE id 1 len 33 from "ASR1002_core"
Feb 21 21:57:59: ppp26 CHAP: I RESPONSE id 1 len 28 from "var_bee"
Feb 21 21:57:59: ppp26 PPP: Sent CHAP LOGIN Request
Feb 21 21:57:59: ppp26 PPP: Received LOGIN Response PASS
Feb 21 21:57:59: ppp26 PPP AUTHOR: Author Data Available
Feb 21 21:57:59: ppp26 PPP: Receive Attrs from[authen] Keep[LCP] MERGE
Feb 21 21:57:59: ppp26 PPP: Keep Attr: timeout              0   386405 (0x5E565)
Feb 21 21:57:59: ppp26 PPP: Updated the attr timeout in datalist
Feb 21 21:57:59: ppp26 PPP: Keep Attr: service-type         0   2 [Framed]
Feb 21 21:57:59: ppp26 PPP: Updated the attr service-type in datalist
Feb 21 21:57:59: ppp26 PPP: Keep Attr: Framed-Protocol      0   1 [PPP]
Feb 21 21:57:59: ppp26 PPP: Updated the attr Framed-Protocol in datalist
Feb 21 21:57:59: ppp26 PPP: Skip Attr: addr                 0   172.21.44.235
Feb 21 21:57:59: ppp26 PPP: Skip Attr: netmask              0   255.255.255.255
Feb 21 21:57:59: ppp26 PPP: Keep Attr: acct-interval        0   60 (0x3C)
Feb 21 21:57:59: ppp26 PPP: Updated the attr acct-interval in datalist
Feb 21 21:57:59: ppp26 PPP: Keep Attr: Message-Authenticato 0   <hidden>
Feb 21 21:57:59: ppp26 PPP: Updated the attr Message-Authenticator in datalist
Feb 21 21:57:59: ppp26 PPP: Receive Attrs from[SSS] Keep[NCPs] MERGE
Feb 21 21:57:59: ppp26 PPP: Skip Attr: timeout              0   386405 (0x5E565)
Feb 21 21:57:59: ppp26 PPP: Skip Attr: service-type         0   2 [Framed]
Feb 21 21:57:59: ppp26 PPP: Skip Attr: Framed-Protocol      0   1 [PPP]
Feb 21 21:57:59: ppp26 PPP: Keep Attr: addr                 0   172.21.44.235
Feb 21 21:57:59: ppp26 PPP: Updated the attr addr in datalist
Feb 21 21:57:59: ppp26 PPP: Keep Attr: netmask              0   255.255.255.255
Feb 21 21:57:59: ppp26 PPP: Updated the attr netmask in datalist
Feb 21 21:57:59: ppp26 PPP: Skip Attr: Message-Authenticato 0   <hidden>
Feb 21 21:57:59: is_up: Virtual-Access3.1 0 state: 4 sub state: 0 line: 0
Feb 21 21:57:59: RT: interface Virtual-Access3.1 removed from routing table
Feb 21 21:57:59: is_up: Virtual-Access3.1 0 state: 4 sub state: 0 line: 0
Feb 21 21:57:59: RT: interface Virtual-Access3.1 removed from routing table
Feb 21 21:57:59: is_up: Virtual-Access3.1 0 state: 4 sub state: 0 line: 0
Feb 21 21:57:59: RT: interface Virtual-Access3.1 removed from routing table
Feb 21 21:57:59: is_up: Virtual-Access3.1 0 state: 4 sub state: 1 line: 0
Feb 21 21:57:59: RT: interface Virtual-Access3.1 removed from routing table
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process LCP Author Data
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process Attr: timeout
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process Attr: service-type
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process Attr: Framed-Protocol
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process Attr: acct-interval
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Process Attr: Message-Authenticator
Feb 21 21:57:59: Vi3.1 LCP AUTHOR: Authorization succeeded
Feb 21 21:57:59: Vi3.1 CHAP: O SUCCESS id 1 len 4
Feb 21 21:57:59: Vi3.1 PPP: Store Author Attr: addr
Feb 21 21:57:59: Vi3.1 PPP: Store Author Attr: netmask
Feb 21 21:57:59: Vi3.1 PPP IPCP: negotiation authorized = 1, tacacs author = 0
Feb 21 21:57:59: Vi3.1 PPP IPCP: neg is authorized, processing CP UP event
Feb 21 21:57:59: is_up: Virtual-Access3.1 0 state: 4 sub state: 1 line: 0
Feb 21 21:57:59: RT: interface Virtual-Access3.1 removed from routing table
Feb 21 21:57:59: Vi3.1 PPP IPCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: Start.  Her address 0.0.0.0, we want 0.0.0.0
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: Authorization succeeded
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: Done.  Her address 0.0.0.0, we want 172.21.44.235
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for primary dns
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for primary wins
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for seconday dns
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for seconday wins
Feb 21 21:57:59: Vi3.1 PPP IPCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for primary dns
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for seconday dns
Feb 21 21:57:59: Vi3.1 PPP IPCP: neg is authorized, processing incoming CONFREQ
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for primary dns
Feb 21 21:57:59: Vi3.1 IPCP AUTHOR: no author-info for seconday dns
Feb 21 21:57:59: RT: updating connected 172.21.44.235/32 (0x0)  :
    via 0.0.0.0 Vi3.1  0 1048578

Feb 21 21:57:59: RT: add 172.21.44.235/32 via 0.0.0.0, connected metric [0/0]
Feb 21 21:57:59: is_up: Virtual-Access3.1 1 state: 4 sub state: 1 line: 0

интерфейс создается

ASR1002_core#sh user | i var
  Vi3.1        var_bee            PPPoVPDN     -        172.21.44.235

ASR1002_core#sh int Vi3.1
Virtual-Access3.1 is up, line protocol is up
  Hardware is Virtual Access interface
  Description: PPTP VPN template interface
  Interface is unnumbered. Using address of Loopback0 (10.2.1.1)
  MTU 1472 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Open: IPCP
  PPPoVPDN vaccess, cloned from Virtual-Template1
  Vaccess status 0x0
  Protocol pptp, tunnel id 512, session id 33157
  Keepalive set (30 sec)
     100 packets input, 17129 bytes
     24 packets output, 171 bytes
  Time to interface disconnect:  absolute 4d11h
  Last clearing of "show interface" counters never
ASR1002_core#sh int Vi3.1 conf
Virtual-Access3.1 is an VPDN link (sub)interface

Derived configuration : 442 bytes
!
interface Virtual-Access3.1
 description PPTP VPN template interface
 mtu 1472
 ip unnumbered Loopback0
 no ip redirects
 ip nat inside
 ip tcp adjust-mss 1432
 timeout absolute 6440 5
 no peer default ip address
 keepalive 30 7
 ppp authentication pap chap callin via_lb
 ppp authorization via_lb
 ppp accounting via_lb
 ppp ipcp dns xxx.xxx.171.1 8.8.8.8
 ppp ipcp address required
 ppp ipcp address unique
 no ip virtual-reassembly
end

И в таблице трансляций, и в роутах видно

ASR1002_core#sh ip nat tr
Pro  Inside global         Inside local          Outside local         Outside global
udp  xxx.xxx.171.9:4520    172.21.44.235:61918   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4519    172.21.44.235:58425   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4531    172.21.44.235:50935   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4513    172.21.44.235:53740   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4514    172.21.44.235:50379   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4525    172.21.44.235:51688   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4512    172.21.44.235:58788   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4518    172.21.44.235:58567   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4522    172.21.44.235:62820   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4515    172.21.44.235:57079   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4523    172.21.44.235:55937   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4516    172.21.44.235:60166   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4529    172.21.44.235:60868   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4524    172.21.44.235:53768   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4530    172.21.44.235:51053   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4517    172.21.44.235:51161   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4526    172.21.44.235:57590   xxx.xxx.171.1:53      xxx.xxx.171.1:53
udp  xxx.xxx.171.9:4521    172.21.44.235:64213   xxx.xxx.171.1:53      xxx.xxx.171.1:53
Total number of translations: 18

ASR1002_core#sh ip route | i 172.21.44.235
C        172.21.44.235/32 is directly connected, Virtual-Access3.1

 

Конфиг вроде стандартный, на старой циске такой же. Но после установления успешного pptp-соединения тупо инет не доступен. Даже loopback0 10.2.1.1 не пингуется.

vpdn enable
vpdn session-limit 400
!
vpdn-group 1
 ! Default L2TP VPDN group
 ! Default PPTP VPDN group
 accept-dialin
  protocol any
  virtual-template 1
 session-limit 300
 local name vpn
 ip pmtu
 ip mtu adjust
...
bba-group pppoe global
 virtual-template 1
 sessions max limit 8000
 sessions per-mac limit 1
 sessions per-vlan limit 1000
 sessions per-mac throttle 1 30 31

ip route 0.0.0.0 0.0.0.0 xxx.xxx.171.17

!
interface Loopback0
 ip address 10.2.1.1 255.255.255.255

interface GigabitEthernet0/0/0.5
 descr For PPTP
 encapsulation dot1Q 5
 ip address 172.21.36.235 255.255.255.0 secondary
 ip address xxx.xxx.171.29 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp

interface GigabitEthernet0/0/1.4
 descr For NAT
 encapsulation dot1Q 4
 ip address ххх.ххх.171.9 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
...
interface Virtual-Template1
 description PPTP VPN template interface
 mtu 1472
 ip unnumbered Loopback0
 no ip redirects
 ip nat inside
 ip policy route-map nat_to_sovintel
 ip tcp adjust-mss 1432
 no logging event link-status
 no peer default ip address
 keepalive 30 7
 ppp authentication pap chap callin via_lb
 ppp authorization via_lb
 ppp accounting via_lb
 ppp ipcp dns ххх.ххх.171.1 8.8.8.8
 ppp ipcp address required
 ppp ipcp address unique
 no ip virtual-reassembly
...
ip nat inside source list 103 interface GigabitEthernet0/0/1.4 overload

access-list 103 permit ip 172.21.44.0 0.0.0.255 any

route-map nat_to_sovintel permit 10
 match ip address 103
 set ip next-hop ххх.ххх.171.1

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.