[rbak-nsp] NAT Logging

Golem golem at mtm-info.pl
Sun Nov 3 13:51:54 EST 2013


Hello

I  have  solved  problem by moving nat logging-profile to context with
interface which is used to export flows and then changed ip nat pool
logging-profile LogowanieNat context mrouter , looks like loop interface can't
be used as source.

Seems like CGNAT logging using custom fields in netflow, are there any
patches for Nfdump available ?





Saturday, November 2, 2013, 10:53:19 AM, you wrote:

> Hello

> I been trying to find problem, but no luck. Logging flows are not directed to mgmt interface.


> Here is active subscriber:

> [routerek]se600(config-nat-profile)#show subscribers active
> 00:00:00:12:00:00
>         Session state Up
>         Circuit   2/1 vlan-id 55 clips 262195
>         Internal Circuit   2/1:511:63:31/7/2/51
>         Interface bound  ge1
>         Current port-limit 1
>         Protocol Stack IPV4
>         dhcp max-addrs 1 (applied)
>         ip address 192.168.100.4 (applied)
>         port-limit 1 (applied from sub_default)
>         ip source-validation 1 (applied from sub_default)
>         dns primary 178.214.0.16 (applied from sub_default)
>         dns secondary 178.214.0.14 (applied from sub_default)
>         dhcp vendor class id MSFT 5.0 (applied)
>         dhcp option client id 0x3d0701000000120000 (applied)
>         dhcp option hostname 0x0c05676f6c656d (applied)
>         qos rate outbound rate 90585 burst 16984500 (applied)
>         qos rate inbound rate 9585 burst 1797000 (applied)
>         qos-metering-policy default-out (applied)
>         qos-policing-policy default-in (applied)
>         nat policy-name ip_test_lan1_nat_policy (applied)
>         forward policy in NORMALPOLICY (applied)
>         qos-queuing-policy 128SharedUserRx (applied from sub_default)
>           IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
>                 192.168.100.4    00:00:00:12:00:00
> [routerek]se600(config-nat-profile)#


> This is complete config:



> service multiple-contexts
> !
> service inter-context routing
> !
> !
> !
>  software license
>   nat enhanced xxxxxxxxxxxxxxxxxxx
> !
> !
> !

> context local
> !
>  no ip domain-lookup
> !
>  interface mgnt
>   ip address 11.11.11.1/27
>  logging console
> !
>  ip access-list admin-access
>   seq 10 permit tcp any any eq ssh
>   seq 20 deny tcp any any eq telnet
> !
>  http-redirect profile Payment
> !
>  enable encrypted xxxxxxxxxxxxxx
> !
> !
>  administrator admin encrypted xxxxxxx

> !
> !
>  
> !
> !
> !
> !

> context routerek
>  domain pvc55 advertise
> !
>  no ip domain-lookup
> !
>  nat logging-profile LogowanieNAT
>   transport-protocol udp
>   export-version v9
>   dscp ef
>   maximum ip-packet-size 200
>   source 10.0.0.33 port 5000
>   destination 10.0.0.1 context mrouter port 5000
> !
> !
>  ip nat pool ip_test_lan1_nat napt paired-mode logging
>   paired-mode subscriber over-subscription 32 port-limit 2000
>   logging-profile LogowanieNat
>   address 178.214.29.1/32 port-block 1 to 15
>   address 178.214.29.2/32 port-block 1 to 15
> !
>  ip nat pool ip_test_pppoe1_nat napt paired-mode logging
>   paired-mode subscriber over-subscription 32 port-limit 2000
>   logging-profile LogowanieNat
>   address 178.214.30.1/32 port-block 1 to 15
>   address 178.214.30.2/32 port-block 1 to 15

> !
>  nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
>   pool ip_test_lan1_nat routerek
>   timeout tcp 18000
>   timeout abandoned 3600
>   endpoint-independent filtering tcp
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
> !
>  nat policy ip_test_pppoe1_nat_policy enhanced
> ! Default class
>   pool ip_test_pppoe1_nat routerek
>   timeout tcp 18000
>   inbound-refresh udp
>   icmp-notification
> !
>  interface 178.214.27.1 multibind
>   ip address 178.214.27.1/26
>   ip pool 178.214.27.0/26
>   ip access-group acl-in in
> !
>  interface 192.168.31.1 multibind
>   ip address 192.168.31.1/26
>   ip pool 192.168.31.0/26
> !
> !
>  interface ge1 multibind
>   ip address 178.214.2.193/27
>   ip address 178.214.2.225/27 secondary
>   ip address 192.168.100.1/24 secondary
>   dhcp server interface
> !
>  interface loop1 loopback
>   ip address 10.0.0.33/27
>    ip source-address telnet snmp ssh radius tacacs+ syslog dhcp-server tftp ftp
> icmp-dest-unreachable icmp-time-exceed netop flow-ip
>  no logging console
> !
>  ip access-list acl-in
>   seq 10 permit ip 192.168.0.0 0.0.255.255
> !
>  policy access-list NORMAL_routerek
>   seq 10 permit ip any host 8.8.8.8 class CLS-DROP
>   seq 20 permit ip any 178.214.25.128 0.0.0.31 class CLS-DROP
>   seq 50 permit ip any any class CLS-NORMAL
> !
>  policy access-list QOS1
>   seq 10 permit tcp any eq www any class HTTP
>   seq 11 permit tcp any eq 443 any class HTTP
>   seq 20 permit tcp any eq ftp-data any class FTP
>   seq 21 permit tcp any eq ftp any class FTP
>   seq 22 permit icmp any any class HIPRIO
>   seq 23 permit udp any eq domain any class HIPRIO
>   seq 100 permit ip any any class class-default
> !


>  ppp keepalive check-interval seconds 30 data-check

> !
>  aaa authentication administrator local
>  aaa authentication administrator maximum sessions 1
>  aaa authentication subscriber radius
>  radius coa server 10.0.0.1 encrypted-key XXXXXX port XXXX
> !
>  radius server 10.0.0.1 encrypted-key XXXXXXXXXX
> !
>  subscriber default
>    port-limit 1
>    ip source-validation
>    qos policy queuing 128SharedUserRx
>    dns primary 178.214.0.16
>    dns secondary 178.214.0.14
> !
>  ip route 0.0.0.0/0 context mrouter
> !

> !
>  dhcp server policy
>    nak-on-subnet-deletion
>    option subnet-mask 255.255.255.0
>    option domain-name-server 178.214.0.16 178.214.0.14
>    option domain-name mtm-info.pl
>    offer-lease-time 300
>    default-lease-time 900
>    maximum-lease-time 900
>    subnet 178.214.2.192/27
>      option subnet-mask 255.255.255.224
>      option router 178.214.2.193
>    subnet 178.214.2.224/27
>      option subnet-mask 255.255.255.224
>      option router 178.214.2.225
>    subnet 192.168.100.0/24
>      option subnet-mask 255.255.255.0
>      option router 192.168.100.1
> !

> context mrouter
> !
>  description  REDBACK
> !
>  no ip domain-lookup
> !
>  interface mrouter2/3
>   ip address 178.214.0.1/27
>   ip address 10.0.0.2/27 secondary
>  no logging console


> ip route 0.0.0.0/0 context bgp
> ip route 10.0.0.32/27 context routerek
>  ip route 178.214.2.192/27 context routerek
>  ip route 178.214.2.224/27 context routerek


> ip route 178.214.27.0/27 context routerek
>  ip route 178.214.29.0/24 context routerek
>  ip route 178.214.30.0/24 context routerek



> !
> ! ** End Context **
> logging tdm console
> logging active
> logging standby short
> !
> !
> !


> qos queue-map default
>  num-queues 2
>   queue 0 priority 0
>   queue 1 priority 1 2 3 4 5 6 7
>  num-queues 4
>   queue 0 priority 0
>   queue 1 priority 1 2
>   queue 2 priority 3 4 5 6
>   queue 3 priority 7
>  num-queues 8
>   queue 0 priority 0
>   queue 1 priority 1
>   queue 2 priority 2
>   queue 3 priority 3
>   queue 4 priority 4
>   queue 5 priority 5
>   queue 6 priority 6
>   queue 7 priority 7
> !
> qos congestion-avoidance-map CONGEST2 pwfq
>  queue 0 red profile-1 dscp 62 min-threshold 100 max-threshold 200 probability 5
>  queue 1 red profile-1 dscp 45 min-threshold 100 max-threshold 200 probability 5
>  queue 2 red profile-1 dscp af33 min-threshold 100 max-threshold 200 probability
>  5
>  queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
> !
> qos congestion-avoidance-map CONGEST4 pwfq
>  queue 0 red profile-1 dscp 50 min-threshold 100 max-threshold 200 probability 5
>  queue 1 red profile-1 dscp 51 min-threshold 100 max-threshold 200 probability 5
>  queue 2 red profile-1 dscp 52 min-threshold 100 max-threshold 200 probability 5
>  queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
> !

> qos policy 128SharedUserRx pwfq
>  rate maximum 1152
>  rate minimum 128
>  num-queues 4
>  queue 0 priority 0 weight 50
>  queue 1 priority 0 weight 30
>  queue 2 priority 0 weight 20
>  queue 3 priority 0 weight 10
> !
> forward policy NORMALPOLICY
>  ip access-group NORMAL_routerek routerek
>   class CLS-NORMAL
>   class CLS-DROP
>    drop
> !
> qos policy QOS1OUT policing
>  rate 1000 burst 100000
>  ip access-group QOS1 routerek
>   class HTTP
>    mark dscp 45
>   class HIPRIO
>    mark dscp 62
>   class FTP
>    mark dscp af33
>   class class-default
>    mark dscp df
> !

> !
> qos policy QOS1POLICY metering
>  rate 1000 burst 100000
>  ip access-group QOS1 routerek
>   class HTTP
>    mark dscp 45
>   class HIPRIO
>    mark dscp 62
>   class FTP
>    mark dscp af33
>   class class-default
>    mark dscp df

> !
> qos policy QOSPOLICY metering
>  rate 1000 burst 100000
>  ip access-group QOS1 routerek
>   class PRIO1
>    mark dscp 50
>   class PRIO2
>    mark dscp 51
>   class PRIO3
>    mark dscp 52
>   class class-default
>    mark dscp df
> !


> !
> qos policy default pwfq
>  rate maximum 1024
>  rate minimum 128
>  num-queues 1
>  queue 0 priority 0 weight 100
> !
> qos policy default-in policing
>  rate 2048 burst 750000
>  rate-calculation exclude layer-2-overhead
> !
> qos policy default-out metering
>  rate 2048 burst 750000
>  rate-calculation exclude layer-2-overhead
> !
> forward policy payment-redirect
>  ip access-group http-packets routerek
>   class xyz
>    redirect destination local
>   class abc
> !
> forward policy test
> !
> !
> !
> !

> !
>  system clock timezone pl 0 0 local
> !
> malicious-traffic
> logging rate-limit 20 burst 50
> !
> !
> http-redirect server
>  port 80
> !


> !
> card ge2-10-port 2
> !
> port ethernet 2/1
>  no shutdown
>  encapsulation dot1q
>  dot1q pvc 55 encapsulation multi
>   service clips dhcp context routerek
>   circuit protocol pppoe
>    bind authentication chap context routerek
> !
> port ethernet 2/3
>  description MROUTER
>  no shutdown
>  bind interface mrouter2/3 mrouter
> !

> port ethernet 2/10
>  shutdown
> !
> !
> port ethernet 8/1
> ! XCRP management ports on slot 8 and 7 are configured through 8/1
>  no shutdown
>  bind interface mgnt local
> !
> boot configuration redback.cfg
> !
> ipv6 path-mtu-discovery discovery-interval 600
> !
> !
> ssh server rate-drop 50
> ssh server start-drop 5
> !
> system alarm redundancy suppress
> system hostname se600
> !
> timeout session idle 30
> !
> !
> !
>  pppoe services marked-domains
>  pppoe tag ac-name mtm-info.pl
>  pppoe always-send-padt
> !
> end






> Thursday, October 31, 2013, 7:19:36 PM, you wrote:

>> How is the NAT policy applied? Please send complete subscriber configuration. Thanks.


>> On Thu, Oct 31, 2013 at 7:48 AM, Golem <golem at mtm-info.pl> wrote:
>> Hello
>> Still doesn't work. 

>> My config:

>>  nat logging-profile LogowanieNAT
>>   transport-protocol udp
>>   export-version v9
>>   dscp ef
>>   maximum ip-packet-size 1400
>>   source 10.0.0.33 port 5000
>>   destination 10.0.0.1 context mrouter port 5000

>> !

>>  ip nat pool ip_test_lan1_nat napt paired-mode logging
>>   paired-mode subscriber over-subscription 32 port-limit 2000

>>   logging-profile LogowanieNat
>>   address 178.214.29.1/32 port-block 1 to 15
>>   address 178.214.29.2/32 port-block 1 to 15
>> !

>>  ip nat pool ip_test_pppoe1_nat napt multibind
>>   address 178.214.30.1/32 port-block 1 to 15
>>   address 178.214.30.2/32 port-block 1 to 15


>> !
>>  nat policy ip_test_lan1_nat_policy enhanced
>> ! Default class
>>   pool ip_test_lan1_nat routerek
>>   timeout tcp 18000
>>   timeout abandoned 3600
>>   endpoint-independent filtering tcp
>>   endpoint-independent filtering udp
>>   inbound-refresh udp
>>   icmp-notification

>> !
>>  nat policy ip_test_pppoe1_nat_policy
>> ! Default class
>>   pool ip_test_pppoe1_nat routerek
>>   timeout tcp 18000

>>   endpoint-independent filtering udp
>>   inbound-refresh udp
>>   icmp-notification


>>  interface loop1 loopback
>>   ip address 10.0.0.33/27

>>    ip source-address radius flow-ip
>>  no logging console






>> I want log ip_test_lan1_nat which is now paired-mode, this context
>> have both paired-mode and multibind nat pool.
>> There is nothing received on collector 10.0.0.1 (no single packet
>> received). Collector using same interface as radius.
>> Is there something more which I have to check ?
>> I have also question about collector ip address. I suppiled
>> destination 10.0.0.1 context mrouter port 5000
>> because 10.0.0.1 is reachable over context mrouter. Is there any
>> debug command which shows if there flow is active ?





>> [routerek]se600#show nat pool
>> Pool-Grid  Context-Id Type    Rcrds Slot-Mask  Pool-Name
>> 0x00000003 0x40080003 napt/M      2 0x00000000 ip_test_pppoe1_nat
>> 0x00000007 0x40080003 napt/PL     2 0x00000004 ip_test_lan1_nat

>> [routerek]se600#show nat logging-profile
>> Profile-Grid  Context-Id Valid Profile-Name
>> 0x00000001    0x40080003 yes   LogowanieNAT




>> Wednesday, October 30, 2013, 8:43:15 PM, you wrote:


>> And I'm assuming you have the license for CGNAT, right?


>> On Wed, Oct 30, 2013 at 4:40 PM, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>> Rafal,

>> Problem is with keywords at the ip nat pool, you are using
>> multibind and must use paired-mode. Here is a complete config that was tested on a SE1200 SEOS 11.x:

>> context local
>> !
>>  nat logging-profile LOGGING_PROF
>>   transport-protocol udp
>>   export-version v9
>>   source 10.10.10.10 port 2055
>>   destination 1.1.1.1 context local port 2055
>>   dscp ef
>> !
>> ! the following can be at any context including local
>> !
>>  ip nat pool NAT_POOL napt paired-mode logging
>>   paired-mode subscriber over-subscription 100 port-limit 1000
>>   logging-profile LOGGING_PROF context local
>>   address 192.168.208.0/28
>> !
>>  nat policy NAT_POLICY enhanced
>> ! Default class
>>   pool NAT_POOL cgnat
>>   timeout abandoned 3600
>>   endpoint-independent filtering tcp
>>   endpoint-independent filtering udp
>>   inbound-refresh udp
>>   icmp-notification




>> On Wed, Oct 30, 2013 at 10:58 AM, Golem <golem at mtm-info.pl> wrote:
>> Hello

>> Im trying to setup NAT logging, this is how my config looks:

>> context routerek


>>  nat logging-profile LogowanieNAT
>>   transport-protocol udp
>>   export-version v9
>>   source 11.0.0.33 port 5000
>>   destination 11.0.0.1 port 5000


>>  ip nat pool ip_test_lan1_nat napt multibind logging
>>   logging-profile LogowanieNat
>>   address 178.214.29.1/32 port-block 1 to 15
>>   address 178.214.29.2/32 port-block 1 to 15


>>   nat policy ip_test_lan1_nat_policy enhanced
>> ! Default class
>>   pool ip_test_lan1_nat routerek
>>   timeout tcp 18000
>>   inbound-refresh udp
>>   icmp-notification
>> !
>>  interface loop1 loopback
>>   ip address 11.0.0.33/27
>>    ip source-address radius flow-ip
>>  no logging console
>> !
>> !
>> ....
>> (config truncated)



>> NAT does work , there is internet access etc, but collector 11.0.0.1 (linux)
>> not receiving any packets on port 5000, tcpdump doesn't show anything.
>> How to debug Nat logging ? debug nat all - doesn't show anything useful about logging.
>> Do I need setup some additional config like flow collector/flow profile for nat logging
>> to make it working ?

>> Rafal




>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp










-- 
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl




More information about the redback-nsp mailing list