[rbak-nsp] NAT Logging
Golem
golem at mtm-info.pl
Sat Nov 2 05:53:19 EDT 2013
Hello
I been trying to find problem, but no luck. Logging flows are not directed to mgmt interface.
Here is active subscriber:
[routerek]se600(config-nat-profile)#show subscribers active
00:00:00:12:00:00
Session state Up
Circuit 2/1 vlan-id 55 clips 262195
Internal Circuit 2/1:511:63:31/7/2/51
Interface bound ge1
Current port-limit 1
Protocol Stack IPV4
dhcp max-addrs 1 (applied)
ip address 192.168.100.4 (applied)
port-limit 1 (applied from sub_default)
ip source-validation 1 (applied from sub_default)
dns primary 178.214.0.16 (applied from sub_default)
dns secondary 178.214.0.14 (applied from sub_default)
dhcp vendor class id MSFT 5.0 (applied)
dhcp option client id 0x3d0701000000120000 (applied)
dhcp option hostname 0x0c05676f6c656d (applied)
qos rate outbound rate 90585 burst 16984500 (applied)
qos rate inbound rate 9585 burst 1797000 (applied)
qos-metering-policy default-out (applied)
qos-policing-policy default-in (applied)
nat policy-name ip_test_lan1_nat_policy (applied)
forward policy in NORMALPOLICY (applied)
qos-queuing-policy 128SharedUserRx (applied from sub_default)
IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
192.168.100.4 00:00:00:12:00:00
[routerek]se600(config-nat-profile)#
This is complete config:
service multiple-contexts
!
service inter-context routing
!
!
!
software license
nat enhanced xxxxxxxxxxxxxxxxxxx
!
!
!
context local
!
no ip domain-lookup
!
interface mgnt
ip address 11.11.11.1/27
logging console
!
ip access-list admin-access
seq 10 permit tcp any any eq ssh
seq 20 deny tcp any any eq telnet
!
http-redirect profile Payment
!
enable encrypted xxxxxxxxxxxxxx
!
!
administrator admin encrypted xxxxxxx
!
!
!
!
!
!
context routerek
domain pvc55 advertise
!
no ip domain-lookup
!
nat logging-profile LogowanieNAT
transport-protocol udp
export-version v9
dscp ef
maximum ip-packet-size 200
source 10.0.0.33 port 5000
destination 10.0.0.1 context mrouter port 5000
!
!
ip nat pool ip_test_lan1_nat napt paired-mode logging
paired-mode subscriber over-subscription 32 port-limit 2000
logging-profile LogowanieNat
address 178.214.29.1/32 port-block 1 to 15
address 178.214.29.2/32 port-block 1 to 15
!
ip nat pool ip_test_pppoe1_nat napt paired-mode logging
paired-mode subscriber over-subscription 32 port-limit 2000
logging-profile LogowanieNat
address 178.214.30.1/32 port-block 1 to 15
address 178.214.30.2/32 port-block 1 to 15
!
nat policy ip_test_lan1_nat_policy enhanced
! Default class
pool ip_test_lan1_nat routerek
timeout tcp 18000
timeout abandoned 3600
endpoint-independent filtering tcp
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
!
nat policy ip_test_pppoe1_nat_policy enhanced
! Default class
pool ip_test_pppoe1_nat routerek
timeout tcp 18000
inbound-refresh udp
icmp-notification
!
interface 178.214.27.1 multibind
ip address 178.214.27.1/26
ip pool 178.214.27.0/26
ip access-group acl-in in
!
interface 192.168.31.1 multibind
ip address 192.168.31.1/26
ip pool 192.168.31.0/26
!
!
interface ge1 multibind
ip address 178.214.2.193/27
ip address 178.214.2.225/27 secondary
ip address 192.168.100.1/24 secondary
dhcp server interface
!
interface loop1 loopback
ip address 10.0.0.33/27
ip source-address telnet snmp ssh radius tacacs+ syslog dhcp-server tftp ftp
icmp-dest-unreachable icmp-time-exceed netop flow-ip
no logging console
!
ip access-list acl-in
seq 10 permit ip 192.168.0.0 0.0.255.255
!
policy access-list NORMAL_routerek
seq 10 permit ip any host 8.8.8.8 class CLS-DROP
seq 20 permit ip any 178.214.25.128 0.0.0.31 class CLS-DROP
seq 50 permit ip any any class CLS-NORMAL
!
policy access-list QOS1
seq 10 permit tcp any eq www any class HTTP
seq 11 permit tcp any eq 443 any class HTTP
seq 20 permit tcp any eq ftp-data any class FTP
seq 21 permit tcp any eq ftp any class FTP
seq 22 permit icmp any any class HIPRIO
seq 23 permit udp any eq domain any class HIPRIO
seq 100 permit ip any any class class-default
!
ppp keepalive check-interval seconds 30 data-check
!
aaa authentication administrator local
aaa authentication administrator maximum sessions 1
aaa authentication subscriber radius
radius coa server 10.0.0.1 encrypted-key XXXXXX port XXXX
!
radius server 10.0.0.1 encrypted-key XXXXXXXXXX
!
subscriber default
port-limit 1
ip source-validation
qos policy queuing 128SharedUserRx
dns primary 178.214.0.16
dns secondary 178.214.0.14
!
ip route 0.0.0.0/0 context mrouter
!
!
dhcp server policy
nak-on-subnet-deletion
option subnet-mask 255.255.255.0
option domain-name-server 178.214.0.16 178.214.0.14
option domain-name mtm-info.pl
offer-lease-time 300
default-lease-time 900
maximum-lease-time 900
subnet 178.214.2.192/27
option subnet-mask 255.255.255.224
option router 178.214.2.193
subnet 178.214.2.224/27
option subnet-mask 255.255.255.224
option router 178.214.2.225
subnet 192.168.100.0/24
option subnet-mask 255.255.255.0
option router 192.168.100.1
!
context mrouter
!
description REDBACK
!
no ip domain-lookup
!
interface mrouter2/3
ip address 178.214.0.1/27
ip address 10.0.0.2/27 secondary
no logging console
ip route 0.0.0.0/0 context bgp
ip route 10.0.0.32/27 context routerek
ip route 178.214.2.192/27 context routerek
ip route 178.214.2.224/27 context routerek
ip route 178.214.27.0/27 context routerek
ip route 178.214.29.0/24 context routerek
ip route 178.214.30.0/24 context routerek
!
! ** End Context **
logging tdm console
logging active
logging standby short
!
!
!
qos queue-map default
num-queues 2
queue 0 priority 0
queue 1 priority 1 2 3 4 5 6 7
num-queues 4
queue 0 priority 0
queue 1 priority 1 2
queue 2 priority 3 4 5 6
queue 3 priority 7
num-queues 8
queue 0 priority 0
queue 1 priority 1
queue 2 priority 2
queue 3 priority 3
queue 4 priority 4
queue 5 priority 5
queue 6 priority 6
queue 7 priority 7
!
qos congestion-avoidance-map CONGEST2 pwfq
queue 0 red profile-1 dscp 62 min-threshold 100 max-threshold 200 probability 5
queue 1 red profile-1 dscp 45 min-threshold 100 max-threshold 200 probability 5
queue 2 red profile-1 dscp af33 min-threshold 100 max-threshold 200 probability
5
queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
!
qos congestion-avoidance-map CONGEST4 pwfq
queue 0 red profile-1 dscp 50 min-threshold 100 max-threshold 200 probability 5
queue 1 red profile-1 dscp 51 min-threshold 100 max-threshold 200 probability 5
queue 2 red profile-1 dscp 52 min-threshold 100 max-threshold 200 probability 5
queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
!
qos policy 128SharedUserRx pwfq
rate maximum 1152
rate minimum 128
num-queues 4
queue 0 priority 0 weight 50
queue 1 priority 0 weight 30
queue 2 priority 0 weight 20
queue 3 priority 0 weight 10
!
forward policy NORMALPOLICY
ip access-group NORMAL_routerek routerek
class CLS-NORMAL
class CLS-DROP
drop
!
qos policy QOS1OUT policing
rate 1000 burst 100000
ip access-group QOS1 routerek
class HTTP
mark dscp 45
class HIPRIO
mark dscp 62
class FTP
mark dscp af33
class class-default
mark dscp df
!
!
qos policy QOS1POLICY metering
rate 1000 burst 100000
ip access-group QOS1 routerek
class HTTP
mark dscp 45
class HIPRIO
mark dscp 62
class FTP
mark dscp af33
class class-default
mark dscp df
!
qos policy QOSPOLICY metering
rate 1000 burst 100000
ip access-group QOS1 routerek
class PRIO1
mark dscp 50
class PRIO2
mark dscp 51
class PRIO3
mark dscp 52
class class-default
mark dscp df
!
!
qos policy default pwfq
rate maximum 1024
rate minimum 128
num-queues 1
queue 0 priority 0 weight 100
!
qos policy default-in policing
rate 2048 burst 750000
rate-calculation exclude layer-2-overhead
!
qos policy default-out metering
rate 2048 burst 750000
rate-calculation exclude layer-2-overhead
!
forward policy payment-redirect
ip access-group http-packets routerek
class xyz
redirect destination local
class abc
!
forward policy test
!
!
!
!
!
system clock timezone pl 0 0 local
!
malicious-traffic
logging rate-limit 20 burst 50
!
!
http-redirect server
port 80
!
!
card ge2-10-port 2
!
port ethernet 2/1
no shutdown
encapsulation dot1q
dot1q pvc 55 encapsulation multi
service clips dhcp context routerek
circuit protocol pppoe
bind authentication chap context routerek
!
port ethernet 2/3
description MROUTER
no shutdown
bind interface mrouter2/3 mrouter
!
port ethernet 2/10
shutdown
!
!
port ethernet 8/1
! XCRP management ports on slot 8 and 7 are configured through 8/1
no shutdown
bind interface mgnt local
!
boot configuration redback.cfg
!
ipv6 path-mtu-discovery discovery-interval 600
!
!
ssh server rate-drop 50
ssh server start-drop 5
!
system alarm redundancy suppress
system hostname se600
!
timeout session idle 30
!
!
!
pppoe services marked-domains
pppoe tag ac-name mtm-info.pl
pppoe always-send-padt
!
end
Thursday, October 31, 2013, 7:19:36 PM, you wrote:
> How is the NAT policy applied? Please send complete subscriber configuration. Thanks.
> On Thu, Oct 31, 2013 at 7:48 AM, Golem <golem at mtm-info.pl> wrote:
> Hello
> Still doesn't work.
> My config:
> nat logging-profile LogowanieNAT
> transport-protocol udp
> export-version v9
> dscp ef
> maximum ip-packet-size 1400
> source 10.0.0.33 port 5000
> destination 10.0.0.1 context mrouter port 5000
> !
> ip nat pool ip_test_lan1_nat napt paired-mode logging
> paired-mode subscriber over-subscription 32 port-limit 2000
> logging-profile LogowanieNat
> address 178.214.29.1/32 port-block 1 to 15
> address 178.214.29.2/32 port-block 1 to 15
> !
> ip nat pool ip_test_pppoe1_nat napt multibind
> address 178.214.30.1/32 port-block 1 to 15
> address 178.214.30.2/32 port-block 1 to 15
> !
> nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
> pool ip_test_lan1_nat routerek
> timeout tcp 18000
> timeout abandoned 3600
> endpoint-independent filtering tcp
> endpoint-independent filtering udp
> inbound-refresh udp
> icmp-notification
> !
> nat policy ip_test_pppoe1_nat_policy
> ! Default class
> pool ip_test_pppoe1_nat routerek
> timeout tcp 18000
> endpoint-independent filtering udp
> inbound-refresh udp
> icmp-notification
> interface loop1 loopback
> ip address 10.0.0.33/27
> ip source-address radius flow-ip
> no logging console
> I want log ip_test_lan1_nat which is now paired-mode, this context
> have both paired-mode and multibind nat pool.
> There is nothing received on collector 10.0.0.1 (no single packet
> received). Collector using same interface as radius.
> Is there something more which I have to check ?
> I have also question about collector ip address. I suppiled
> destination 10.0.0.1 context mrouter port 5000
> because 10.0.0.1 is reachable over context mrouter. Is there any
> debug command which shows if there flow is active ?
> [routerek]se600#show nat pool
> Pool-Grid Context-Id Type Rcrds Slot-Mask Pool-Name
> 0x00000003 0x40080003 napt/M 2 0x00000000 ip_test_pppoe1_nat
> 0x00000007 0x40080003 napt/PL 2 0x00000004 ip_test_lan1_nat
> [routerek]se600#show nat logging-profile
> Profile-Grid Context-Id Valid Profile-Name
> 0x00000001 0x40080003 yes LogowanieNAT
> Wednesday, October 30, 2013, 8:43:15 PM, you wrote:
> And I'm assuming you have the license for CGNAT, right?
> On Wed, Oct 30, 2013 at 4:40 PM, Tomas Lynch <tomas.lynch at gmail.com> wrote:
> Rafal,
> Problem is with keywords at the ip nat pool, you are using
> multibind and must use paired-mode. Here is a complete config that was tested on a SE1200 SEOS 11.x:
> context local
> !
> nat logging-profile LOGGING_PROF
> transport-protocol udp
> export-version v9
> source 10.10.10.10 port 2055
> destination 1.1.1.1 context local port 2055
> dscp ef
> !
> ! the following can be at any context including local
> !
> ip nat pool NAT_POOL napt paired-mode logging
> paired-mode subscriber over-subscription 100 port-limit 1000
> logging-profile LOGGING_PROF context local
> address 192.168.208.0/28
> !
> nat policy NAT_POLICY enhanced
> ! Default class
> pool NAT_POOL cgnat
> timeout abandoned 3600
> endpoint-independent filtering tcp
> endpoint-independent filtering udp
> inbound-refresh udp
> icmp-notification
> On Wed, Oct 30, 2013 at 10:58 AM, Golem <golem at mtm-info.pl> wrote:
> Hello
> Im trying to setup NAT logging, this is how my config looks:
> context routerek
> nat logging-profile LogowanieNAT
> transport-protocol udp
> export-version v9
> source 11.0.0.33 port 5000
> destination 11.0.0.1 port 5000
> ip nat pool ip_test_lan1_nat napt multibind logging
> logging-profile LogowanieNat
> address 178.214.29.1/32 port-block 1 to 15
> address 178.214.29.2/32 port-block 1 to 15
> nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
> pool ip_test_lan1_nat routerek
> timeout tcp 18000
> inbound-refresh udp
> icmp-notification
> !
> interface loop1 loopback
> ip address 11.0.0.33/27
> ip source-address radius flow-ip
> no logging console
> !
> !
> ....
> (config truncated)
> NAT does work , there is internet access etc, but collector 11.0.0.1 (linux)
> not receiving any packets on port 5000, tcpdump doesn't show anything.
> How to debug Nat logging ? debug nat all - doesn't show anything useful about logging.
> Do I need setup some additional config like flow collector/flow profile for nat logging
> to make it working ?
> Rafal
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
--
Best regards,
Ozga Rafal mailto:golem at mtm-info.pl
More information about the redback-nsp
mailing list