请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

搜索
热搜: 邮件服务器
查看: 182|回复: 5

ISR4431-IOS-XE nat回环问题

[复制链接]
发表于 6 天前 | 显示全部楼层 |阅读模式
10可用金钱
问题:内网客户端使用公网IP访问内网服务器

软件版本
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
==============
与之前的IOS不一样,IOS-XE没有ip nat enable命令,官网文档找不到相关的命名,想问下有人配过吗?

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 6 天前 | 显示全部楼层
IOSD 是SDWAN的IOS 重新换个IOS再配置吧。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 5 天前 | 显示全部楼层
路过一下,跟着涨知识。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 5 天前 | 显示全部楼层
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-addr-consv.html

When you configure Network Address Translation (NAT) on an interface, that interface becomes optimized for NAT packet flow. Any nontranslated packet that flows through the NAT interface goes through a series of checks to determine whether the packet must be translated or not. These checks result in increased latency for nontranslated packet flows and thus negatively impact the packet processing latency of all packet flows through the NAT interface. We highly recommend that a NAT interface must be used only for NAT-only traffic. Any non-NAT packets must be separated and these packets must go through an interface that does not have NAT configured on it. You can use Policy-Based Routing (PBR) for separating non-NAT traffic.

NAT Virtual Interfaces (NVIs) are not supported in the Cisco IOS XE software.

In Cisco IOS XE software, NAT outside interfaces show up in the translations tables, by default. This view of NAT outside interfaces causes the connection that originates from the outside interface of the device to fail. To restore connectivity, you must explicitly deny the outside Interface within the NAT ACL using the deny command. After using the deny command, no translation is observed for the outside interface.

NAT is not practical if large numbers of hosts in the stub domain communicate outside of the domain.

Some applications use embedded IP addresses in such a way that translation by a NAT device is impractical. These applications may not work transparently or at all through a NAT device.

In a NAT configuration, addresses configured for any inside mapping must not be configured for any outside mapping.

Do not configure the interface IP address as part of the IP address NAT pool.

By default, support for the Session Initiation Protocol (SIP) is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT service may corrupt the packet. This packet corruption is due to its attempt to interpret the packet as a SIP call message.

NAT hides the identity of hosts, which may be an advantage or a disadvantage depending on the needed result.

Devices that are configured with NAT must not advertise the local networks to outside the network. However, routing information that NAT receives from the outside can be advertised in the stub domain as usual.

NAT outside interface is not supported on a VRF. However, NAT outside interface is supported in iWAN and is part of the Cisco Validated Design.

For VRF-aware NAT, remove the NAT configuration before you remove the VRF configuration.

If you specify an access list to use with a NAT command, NAT does not support the permit ip any any command. This NAT command is commonly used in the access list.

Cisco ASR 1000 Series Aggregation Services Routers do not support an access list with a port range.

NAT configuration is not supported on the access side of the Intelligent Services Gateway (ISG).

Using any IP address that is configured of a device as an address pool or in a NAT static rule is not supported. NAT can share the physical interface address (not any other IP address) of a device only by using the NAT interface overload configuration. A device uses the ports of its physical interface and NAT must receive communication about the ports that it can safely use for translation. This communication happens only when the NAT interface overload is configured.

The output of the show ip nat statistics command displays information about all IP address pools and NAT mappings that you have configured. If your NAT configuration has a high number of IP address pools and NAT mappings (for example, 1000 to 4000), the update rate of the pool and mapping statistics in show ip nat statistics is slow.

Static and dynamic NAT with generic routing encapsulation (generic GRE) and dynamic NAT with Layer 2 do not work when used along with hardware-based Cisco AppNav appliances (for example, Wide Area Application Services [WAAS]). In the context of WAAS, generic GRE is an out-of-path deployment mechanism. It helps to return packets from the WAAS Wide-Area Application Engine (WAE) through the GRE tunnel to the same device from which they were originally redirected after completing optimization.

Port Address Translation (also called NAT overload) only supports protocols whose port numbers are known; these protocols are Internet Control Message Protocol (ICMP), TCP, and UDP. Other protocols do not work with PAT because they consume the entire address in an address pool. Configure your access control list to only permit ICMP, TCP, and UDP protocols, so that all other protocol traffic is prevented from entering the network.

NAT, Zone-Based Policy Firewall, and Web Cache Communication Protocol (WCCP) cannot coexist in a network.

Non-Pattable traffic, is traffic for a protocol where there are no ports. PAT/Overload can only be done on protocols where the ports are known, that is, UDP, TCP, and ICMP.

When ASR is configured for NAT overload (PAT) and Non-Pattable traffic hits the router, Non-Pattable BIND entry gets created for this traffic. Following is a bind entry in the NAT table:
---  213.252.7.132         172.16.254.242        ---
This bind entry consumes an entire address from the pool. In this example, 213.252.7.132 is an address from an overloaded pool.
That means an inside local IP Address gets bound to the outside global IP which is similar to static NAT. Because of this binding action, new inside local IP Addresses cannot use this global IP Address until the current entry gets timed out. All the translation that is created off this BIND is 1-to-1 translations instead of overload.

To avoid consumption of an entire address from the pool, make sure that there are not any entries for the Non-Pattable traffic across the router.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 4 天前 | 显示全部楼层
有个问题就是,客户是使用内网访问公司的内网服务器,还在在家里,用时ssl vpn得到公司公司分配的内网ip后访问内网服务器是吗,
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 4 天前 | 显示全部楼层
搜一搜论坛 有人用环回口解决这个问题。。。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 思科 CCO 登录 | 思科 CCO 注册   

本版积分规则

Archiver | 思科社区  

GMT+8, 2020-1-21 10:26 , Processed in 0.108852 second(s), 43 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表