Jump to content
Калькуляторы

Странный NAT (или не NAT) CISCO 3945

Имеем следующую схему подключения:

net1.png

Одна циска, два PPPOE подключения к разным провайдерам.

 

Хочется странного: когда приходит TCP пакет снаружи на наш WAN

(IP:YY.YY.YY.5 PORT:5002) заменять в нем адрес отправителя на YY.YY.YY.5 и отправлять его наружу на адрес IP:FF.FF.FF.88, PORT:5001

Есть какие-нибудь варианты?

 

#sh ver
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright © 1986-2010 by Cisco Systems, Inc.
Compiled Sun 18-Jul-10 06:43 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)

router uptime is 1 week, 4 days, 17 hours, 6 minutes
System returned to ROM by reload at 08:00:45 UTC Wed Sep 29 2010
System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 983040K/65536K bytes of memory.
Processor board ID FCZ141070V0
4 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)


Configuration register is 0x2102

 

Конфигурация на данный момент такая:


!
! Last configuration change at 04:18:08 UTC Tue Oct 26 2010 by valery
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4185159336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4185159336
revocation-check none
rsakeypair TP-self-signed-4185159336
!
!
crypto pki certificate chain TP-self-signed-4185159336
certificate self-signed 01
 XXXXXXXXXXXXXXXXXXXXX
 	quit
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
clns routing
!
!
license udi pid C3900-SPE150/K9 sn FOC14053VPM
license boot module c3900 technology-package datak9 disable
!
!
archive
log config
 logging enable
 logging size 200
 notify syslog contenttype plaintext
 hidekeys
username valery privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
!
!
! 
!
!
!
!
!
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.1.254 255.255.255.0
ip nat enable
ip policy route-map REDIRECTOR
duplex auto
speed auto
no cdp enable
!
!
interface FastEthernet0/0/0
no ip address
duplex auto
speed auto
no cdp enable
!
!
interface FastEthernet0/0/0.1
encapsulation dot1Q 43
pppoe enable group 1
pppoe-client dial-pool-number 1
no keepalive
no cdp enable
!
interface FastEthernet0/0/1
no ip address
duplex auto
speed auto
pppoe enable group 2
pppoe-client dial-pool-number 2
no keepalive
no cdp enable
!
!
interface Dialer1
description WAN1-APLUS
ip address negotiated
ip mtu 1492
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp eap refuse
ppp chap hostname XXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXX
ppp chap refuse
ppp ms-chap refuse
ppp ms-chap-v2 refuse
ppp pap sent-username XXXXXXXX password 0 XXXXXXX
no cdp enable
!
!
interface Dialer2
description WAN2-STK
ip address negotiated
ip mtu 1492
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password 0 XXXXXXXXXX
no cdp enable
!
!
ip local policy route-map REDIRECTOR
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool SRV1_PAT 192.168.1.254 192.168.1.254 prefix-length 24
ip nat source list ISP1-FORWARD pool SRV1_PAT overload
ip nat source list ISP1-IPERF interface Dialer1 overload
ip nat source list ISP2-FORWARD pool SRV1_PAT overload
ip nat source list ISP2-IPERF interface Dialer2 overload
ip nat source route-map W1-NAT interface Dialer1 overload
ip nat source route-map W2-NAT interface Dialer2 overload
ip nat source static tcp 192.168.1.40 5001 YY.YY.YY.5 5001 extendable
ip nat source static tcp XX.XX.XX.88 5001 YY.YY.YY.5 5002 extendable
ip nat source static tcp 192.168.1.40 5001 ZZ.ZZ.ZZ.244 5001 extendable
ip nat source static tcp XX.XX.XX.88 5001 ZZ.ZZ.ZZ.244 5002 extendable
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.50.0 255.255.255.0 192.168.1.240
!
ip access-list extended ISP1-FORWARD
permit tcp any host YY.YY.YY.5 eq 5001
ip access-list extended ISP1-IPERF
permit tcp any host YY.YY.YY.5 eq 5002
ip access-list extended ISP2-FORWARD
permit tcp any host ZZ.ZZ.ZZ.244 eq 5001
ip access-list extended ISP2-IPERF
permit tcp any host ZZ.ZZ.ZZ.244 eq 5002
ip access-list extended NAT-ALLOW
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VAJ
permit tcp host 192.168.1.40 any eq www
ip access-list extended WAN1IP
permit ip host YY.YY.YY.5 any
ip access-list extended WAN2IP
permit ip host ZZ.ZZ.ZZ.244 any
!
!
!
!
!
route-map REDIRECTOR permit 10
match ip address VAJ
set interface Dialer1
!
route-map REDIRECTOR permit 20
match ip address WAN1IP
set interface Dialer1
!
route-map REDIRECTOR permit 30
match ip address WAN2IP
set interface Dialer2
!
route-map W1-NAT permit 20
match ip address NAT-ALLOW
match interface Dialer1
!
route-map W2-NAT permit 10
match ip address NAT-ALLOW
match interface Dialer2
!
route-map ALL-ISP permit 10
match ip address WAN1IP
set ip next-hop 10.10.10.1
!
route-map ALL-ISP permit 20
match ip address WAN2IP
set ip next-hop 213.228.116.163
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 858
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

 

#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.1.254   YES NVRAM  up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  administratively down down    
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down    
FastEthernet0/0/0          unassigned      YES NVRAM  up                    up      
FastEthernet0/0/0.1        unassigned      YES unset  up                    up      
FastEthernet0/0/1          unassigned      YES NVRAM  up                    up      
FastEthernet0/1/0          unassigned      YES NVRAM  administratively down down    
FastEthernet0/1/1          unassigned      YES NVRAM  administratively down down    
Dialer1                    YY.YY.YY.5     YES IPCP   up                    up      
Dialer2                    ZZ.ZZ.ZZ.244  YES IPCP   up                    up      
NVI0                       192.168.1.254   YES unset  up                    up      
Virtual-Access1            unassigned      YES unset  up                    up      
Virtual-Access2            unassigned      YES unset  up                    up      
Virtual-Access3            unassigned      YES unset  up                    up     

deb ip nat

Показывает что с NAT-ом все вроде нормально:

*Oct 28 03:09:36.099: NAT: TCP s=38692, d=5002->5001
*Oct 28 03:09:36.099: NAT: s=XX.XX.XX.88->YY.YY.YY.5, d=YY.YY.YY.5 [4591]
*Oct 28 03:09:36.099: NAT: s=YY.YY.YY.5, d=YY.YY.YY.5->XX.XX.XX.88 [4591]

 

#sh ip nat nvi tr
Pro Source global         Source local          Destin  local         Destin  global
tcp YY.YY.YY.5:5002      XX.XX.XX.88:5001    ---                   ---
tcp YY.YY.YY.5:51856     XX.XX.XX.88:51856   YY.YY.YY.5:5002      XX.XX.XX.88:5001
tcp YY.YY.YY.5:5001      192.168.1.40:5001     ---                   ---

 

Соединения с внешним сервером соответственно нет совсем.

Подскажите что поправить в конфиге?

Edited by vaj

Share this post


Link to post
Share on other sites
Имеем следующую схему подключения:

Одна циска, два PPPOE подключения к разным провайдерам.

 

Хочется странного: когда приходит TCP пакет снаружи на наш WAN

(IP:YY.YY.YY.5 PORT:5002) заменять в нем адрес отправителя на YY.YY.YY.5 и отправлять его наружу на адрес IP:FF.FF.FF.88, PORT:5001

Есть какие-нибудь варианты?

Мудрено. Вопрос: а второй провайдер точно пропускает с Dialer2 пакеты с левым Src?

 

Share this post


Link to post
Share on other sites

Мудрено. Вопрос: а второй провайдер точно пропускает с Dialer2 пакеты с левым Src?

Скорее всего нет. Это и не нужно - нужно чтобы на какой интерфейс пакет пришел, с него же и за-NAT-илось и туда-же ушло.

Share this post


Link to post
Share on other sites

Попробовал по отлаживать все это. Ничего плохого не вижу. Может я что-то не так делаю? Подскажите, ткните мордой.

Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: tableid=0, s=80.237.31.253 (Dialer1), d=80.237.30.5 (Dialer1), routed via RIB
Nov  2 04:19:44.855: NAT: [0] Allocated Port for 80.237.31.253 -> 80.237.30.5: wanted 42932 got 42932
Nov  2 04:19:44.855: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32125]     
Nov  2 04:19:44.855: NAT: TCP s=42932, d=5002->5001
Nov  2 04:19:44.855: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32125]
Nov  2 04:19:44.855: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32125]
Nov  2 04:19:44.855: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Post-routing NAT NVI Output(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:44.855: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, rcvd local pkt
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: tableid=0, s=80.237.31.253 (Dialer1), d=80.237.30.5 (Dialer1), routed via RIB
Nov  2 04:19:47.851: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32126]     
Nov  2 04:19:47.851: NAT: TCP s=42932, d=5002->5001
Nov  2 04:19:47.851: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32126]
Nov  2 04:19:47.851: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32126]
Nov  2 04:19:47.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Post-routing NAT NVI Output(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:47.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, rcvd local pkt
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: tableid=0, s=80.237.31.253 (Dialer1), d=80.237.30.5 (Dialer1), routed via RIB
Nov  2 04:19:53.851: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32127]     
Nov  2 04:19:53.851: NAT: TCP s=42932, d=5002->5001
Nov  2 04:19:53.851: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32127]
Nov  2 04:19:53.851: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32127]
Nov  2 04:19:53.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, Post-routing NAT NVI Output(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: Output changed by feature=19: Dialer1 -> Dialer2
Nov  2 04:19:53.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, IPsec or interface ACL checked on pre-encrypted cleartext packets(37), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, Dialer idle reset(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:19:53.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), g=89.249.130.88, len 60, forward
Nov  2 04:19:53.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Virtual-Access3), len 60, sending full packet
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: tableid=0, s=80.237.31.253 (Dialer1), d=80.237.30.5 (Dialer1), routed via RIB
Nov  2 04:20:05.851: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32128]     
Nov  2 04:20:05.851: NAT: TCP s=42932, d=5002->5001
Nov  2 04:20:05.851: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32128]
Nov  2 04:20:05.851: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32128]
Nov  2 04:20:05.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, Post-routing NAT NVI Output(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: Output changed by feature=19: Dialer1 -> Dialer2
Nov  2 04:20:05.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, IPsec or interface ACL checked on pre-encrypted cleartext packets(37), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), len 60, output feature, Dialer idle reset(70), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:05.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer2), g=89.249.130.88, len 60, forward
Nov  2 04:20:05.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Virtual-Access3), len 60, sending full packet
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.31.253 (Dialer1), d=80.237.30.5, len 60, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: tableid=0, s=80.237.31.253 (Dialer1), d=80.237.30.5 (Dialer1), routed via RIB
Nov  2 04:20:29.851: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32129]     
Nov  2 04:20:29.851: NAT: TCP s=42932, d=5002->5001
Nov  2 04:20:29.851: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32129]
Nov  2 04:20:29.851: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32129]
Nov  2 04:20:29.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Post-routing NAT NVI Output(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Nov  2 04:20:29.851: IP: s=80.237.30.5 (Dialer1), d=89.249.130.88 (Dialer1), len 60, rcvd local pkt
Nov  2 04:20:40.091:  IP: s=80.237.31.253, d=90.189.120.244, pak 130A4030 consumed in input feature , packet consumed, Access List(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Edited by vaj

Share this post


Link to post
Share on other sites

нигде не видно ip nat inside/outside на интерфейсах, сказано только ip nat enable

попробуйте всё таки явно задать их.

Share this post


Link to post
Share on other sites
нигде не видно ip nat inside/outside на интерфейсах, сказано только ip nat enable

попробуйте всё таки явно задать их.

А что тогда писать на интерфейсе Dialer1(2)?

У меня внутрь порты пробрасываются и НАТ-ятся g0/0.

Когда из локалки лезем в инет, то они ip nat outside. А когда из инета в локалку ip nat inside. Поэтому просто стоит ip nat enable и в дело вступает NAT NVI.

С NAT-ом как раз все в порядке. В логе выше все видно. NAT-ит как надо.

Nov 2 04:19:44.855: NAT: [0] Allocated Port for 80.237.31.253 -> 80.237.30.5: wanted 42932 got 42932
Nov 2 04:19:44.855: NAT: i: tcp (80.237.31.253, 42932) -> (80.237.30.5, 5002) [32125]
Nov 2 04:19:44.855: NAT: TCP s=42932, d=5002->5001
Nov 2 04:19:44.855: NAT: s=80.237.31.253->80.237.30.5, d=80.237.30.5 [32125]
Nov 2 04:19:44.855: NAT: s=80.237.30.5, d=80.237.30.5->89.249.130.88 [32125]

В результате получается приходим с 80.237.31.253 на 80.237.30.5:5002. Далее Destination port меняется на 5001, Source IP заменяется на 80.237.30.5 а Destination IP меняется на 89.249.130.88

Вот только неизвестно куда потом пакет деется.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this