取消
显示结果 
搜索替代 
您的意思是: 
cancel
11394
查看次数
0
有帮助
11
回复

ISR4431-IOS-XE nat回环问题

lizhicong2015
Level 1
Level 1
问题:内网客户端使用公网IP访问内网服务器
软件版本
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
==============
与之前的IOS不一样,IOS-XE没有ip nat enable命令,官网文档找不到相关的命名,想问下有人配过吗?
11 条回复11

Li Bo
Level 1
Level 1
IOSD 是SDWAN的IOS 重新换个IOS再配置吧。

18653465190
Spotlight
Spotlight
路过一下,跟着涨知识。

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-addr-consv.html
When you configure Network Address Translation (NAT) on an interface, that interface becomes optimized for NAT packet flow. Any nontranslated packet that flows through the NAT interface goes through a series of checks to determine whether the packet must be translated or not. These checks result in increased latency for nontranslated packet flows and thus negatively impact the packet processing latency of all packet flows through the NAT interface. We highly recommend that a NAT interface must be used only for NAT-only traffic. Any non-NAT packets must be separated and these packets must go through an interface that does not have NAT configured on it. You can use Policy-Based Routing (PBR) for separating non-NAT traffic.
NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.
In Cisco IOS XE software, NAT outside interfaces show up in the translations tables, by default. This view of NAT outside interfaces causes the connection that originates from the outside interface of the device to fail. To restore connectivity, you must explicitly deny the outside Interface within the NAT ACL using the deny command. After using the deny command, no translation is observed for the outside interface.
NAT is not practical if large numbers of hosts in the stub domain communicate outside of the domain.
Some applications use embedded IP addresses in such a way that translation by a NAT device is impractical. These applications may not work transparently or at all through a NAT device.
In a NAT configuration, addresses configured for any inside mapping must not be configured for any outside mapping.
Do not configure the interface IP address as part of the IP address NAT pool.
By default, support for the Session Initiation Protocol (SIP) is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT service may corrupt the packet. This packet corruption is due to its attempt to interpret the packet as a SIP call message.
NAT hides the identity of hosts, which may be an advantage or a disadvantage depending on the needed result.
Devices that are configured with NAT must not advertise the local networks to outside the network. However, routing information that NAT receives from the outside can be advertised in the stub domain as usual.
NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.
For VRF-aware NAT, remove the NAT configuration before you remove the VRF configuration.
If you specify an access list to use with a NAT command, NAT does not support the permit ip any any command. This NAT command is commonly used in the access list.
Cisco ASR 1000 Series Aggregation Services Routers do not support an access list with a port range.
NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).
Using any IP address that is configured of a device as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.
The output of the show ip nat statistics command displays information about all IP address pools and NAT mappings that you have configured. If your NAT configuration has a high number of IP address pools and NAT mappings (for example, 1000 to 4000), the update rate of the pool and mapping statistics in show ip nat statistics is slow.
Static and dynamic NAT with generic routing encapsulation (generic GRE) and dynamic NAT with Layer 2 do not work when used along with hardware-based Cisco AppNav appliances (for example, Wide Area Application Services [WAAS]). In the context of WAAS, generic GRE is an out-of-path deployment mechanism. It helps to return packets from the WAAS Wide-Area Application Engine (WAE) through the GRE tunnel to the same device from which they were originally redirected after completing optimization.
Port Address Translation (also called NAT overload) only supports protocols whose port numbers are known; these protocols are Internet Control Message Protocol (ICMP), TCP, and UDP. Other protocols do not work with PAT because they consume the entire address in an address pool. Configure your access control list to only permit ICMP, TCP, and UDP protocols, so that all other protocol traffic is prevented from entering the network.
NAT, Zone-Based Policy Firewall, and Web Cache Communication Protocol (WCCP) cannot coexist in a network.
Non-Pattable traffic, is traffic for a protocol where there are no ports. PAT/Overload can only be done on protocols where the ports are known, that is, UDP, TCP, and ICMP.
When ASR is configured for NAT overload (PAT) and Non-Pattable traffic hits the router, Non-Pattable BIND entry gets created for this traffic. Following is a bind entry in the NAT table:
--- 213.252.7.132 172.16.254.242 ---
This bind entry consumes an entire address from the pool. In this example, 213.252.7.132 is an address from an overloaded pool.
That means an inside local IP Address gets bound to the outside global IP which is similar to static NAT. Because of this binding action, new inside local IP Addresses cannot use this global IP Address until the current entry gets timed out. All the translation that is created off this BIND is 1-to-1 translations instead of overload.
To avoid consumption of an entire address from the pool, make sure that there are not any entries for the Non-Pattable traffic across the router.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

yancheng wang
Level 1
Level 1
有个问题就是,客户是使用内网访问公司的内网服务器,还在在家里,用时ssl vpn得到公司公司分配的内网ip后访问内网服务器是吗,

wuhao0015
Spotlight
Spotlight
搜一搜论坛 有人用环回口解决这个问题。。。

lizhicong2015
Level 1
Level 1
906158750 发表于 2020-1-17 15:45
有个问题就是,客户是使用内网访问公司的内网服务器,还在在家里,用时ssl vpn得到公司公司分配的内网ip后 ...

没有用VPN连接公司内部,就在公司内部通过公网IP访问内网的服务器

lizhicong2015
Level 1
Level 1
linc 发表于 2020-1-15 23:04
IOSD 是SDWAN的IOS 重新换个IOS再配置吧。

IOS不通,应该也有相关的解决方法的,这种需求应该很常见,只是看来很多文档,越看越懵

Li Bo
Level 1
Level 1
ISR 分两个版本的IOS.一个是SDWAN 一个是传统的IOS XE. SDWAN的IOS需要配合controller来使用

lizhicong2015
Level 1
Level 1
linc 发表于 2020-2-24 20:49
ISR 分两个版本的IOS.一个是SDWAN 一个是传统的IOS XE. SDWAN的IOS需要配合controller来使用

意思是做不了?

raxing
Cisco Employee
Cisco Employee
lizhicong2015 发表于 2020-3-2 19:59
意思是做不了?

iosd ios demon running on the linux, 就是ios在传统的设备里是打包好的了,在isr 4k asr 1k asr 9k ios 是作为一个进程 run 在linux上。所以叫iosd

l_enough
Spotlight
Spotlight
我给你分析下;
假设你内网IP为1.1 你公网IP为3.3 映射到你内部服务器是2.2
那么你需要做以下这样的回话表;
发送
dnat 1.1 -- 3.3转换地址(2.2)
snat 1.1 -- 2.2 转换地址(这里就需要虚拟一个环回口,假设为4.4),为什么呢? 我给你打个比喻,如果你是1.1 之前访问2.2,那么你后续的流量其实也不听过你的路由设备了,形成了异步路由啦;
接收
dnat 2.2 --4.4 转换地址(1.1)
snat 2.2--1.1 转换地址(2.2)
这样你理解了吧,我没有将操作,大概原理就是这样
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接