[rbak-nsp] NAT Logging
Golem
golem at mtm-info.pl
Sun Nov 3 13:51:54 EST 2013
Hello
I have solved problem by moving nat logging-profile to context with
interface which is used to export flows and then changed ip nat pool
logging-profile LogowanieNat context mrouter , looks like loop interface can't
be used as source.
Seems like CGNAT logging using custom fields in netflow, are there any
patches for Nfdump available ?
Saturday, November 2, 2013, 10:53:19 AM, you wrote:
> Hello
> I been trying to find problem, but no luck. Logging flows are not directed to mgmt interface.
> Here is active subscriber:
> [routerek]se600(config-nat-profile)#show subscribers active
> 00:00:00:12:00:00
> Session state Up
> Circuit 2/1 vlan-id 55 clips 262195
> Internal Circuit 2/1:511:63:31/7/2/51
> Interface bound ge1
> Current port-limit 1
> Protocol Stack IPV4
> dhcp max-addrs 1 (applied)
> ip address 192.168.100.4 (applied)
> port-limit 1 (applied from sub_default)
> ip source-validation 1 (applied from sub_default)
> dns primary 178.214.0.16 (applied from sub_default)
> dns secondary 178.214.0.14 (applied from sub_default)
> dhcp vendor class id MSFT 5.0 (applied)
> dhcp option client id 0x3d0701000000120000 (applied)
> dhcp option hostname 0x0c05676f6c656d (applied)
> qos rate outbound rate 90585 burst 16984500 (applied)
> qos rate inbound rate 9585 burst 1797000 (applied)
> qos-metering-policy default-out (applied)
> qos-policing-policy default-in (applied)
> nat policy-name ip_test_lan1_nat_policy (applied)
> forward policy in NORMALPOLICY (applied)
> qos-queuing-policy 128SharedUserRx (applied from sub_default)
> IP host entries installed by DHCP: (max_addr 1 cur_entries 1)
> 192.168.100.4 00:00:00:12:00:00
> [routerek]se600(config-nat-profile)#
> This is complete config:
> service multiple-contexts
> !
> service inter-context routing
> !
> !
> !
> software license
> nat enhanced xxxxxxxxxxxxxxxxxxx
> !
> !
> !
> context local
> !
> no ip domain-lookup
> !
> interface mgnt
> ip address 11.11.11.1/27
> logging console
> !
> ip access-list admin-access
> seq 10 permit tcp any any eq ssh
> seq 20 deny tcp any any eq telnet
> !
> http-redirect profile Payment
> !
> enable encrypted xxxxxxxxxxxxxx
> !
> !
> administrator admin encrypted xxxxxxx
> !
> !
>
> !
> !
> !
> !
> context routerek
> domain pvc55 advertise
> !
> no ip domain-lookup
> !
> nat logging-profile LogowanieNAT
> transport-protocol udp
> export-version v9
> dscp ef
> maximum ip-packet-size 200
> source 10.0.0.33 port 5000
> destination 10.0.0.1 context mrouter port 5000
> !
> !
> ip nat pool ip_test_lan1_nat napt paired-mode logging
> paired-mode subscriber over-subscription 32 port-limit 2000
> logging-profile LogowanieNat
> address 178.214.29.1/32 port-block 1 to 15
> address 178.214.29.2/32 port-block 1 to 15
> !
> ip nat pool ip_test_pppoe1_nat napt paired-mode logging
> paired-mode subscriber over-subscription 32 port-limit 2000
> logging-profile LogowanieNat
> address 178.214.30.1/32 port-block 1 to 15
> address 178.214.30.2/32 port-block 1 to 15
> !
> nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
> pool ip_test_lan1_nat routerek
> timeout tcp 18000
> timeout abandoned 3600
> endpoint-independent filtering tcp
> endpoint-independent filtering udp
> inbound-refresh udp
> icmp-notification
> !
> nat policy ip_test_pppoe1_nat_policy enhanced
> ! Default class
> pool ip_test_pppoe1_nat routerek
> timeout tcp 18000
> inbound-refresh udp
> icmp-notification
> !
> interface 178.214.27.1 multibind
> ip address 178.214.27.1/26
> ip pool 178.214.27.0/26
> ip access-group acl-in in
> !
> interface 192.168.31.1 multibind
> ip address 192.168.31.1/26
> ip pool 192.168.31.0/26
> !
> !
> interface ge1 multibind
> ip address 178.214.2.193/27
> ip address 178.214.2.225/27 secondary
> ip address 192.168.100.1/24 secondary
> dhcp server interface
> !
> interface loop1 loopback
> ip address 10.0.0.33/27
> ip source-address telnet snmp ssh radius tacacs+ syslog dhcp-server tftp ftp
> icmp-dest-unreachable icmp-time-exceed netop flow-ip
> no logging console
> !
> ip access-list acl-in
> seq 10 permit ip 192.168.0.0 0.0.255.255
> !
> policy access-list NORMAL_routerek
> seq 10 permit ip any host 8.8.8.8 class CLS-DROP
> seq 20 permit ip any 178.214.25.128 0.0.0.31 class CLS-DROP
> seq 50 permit ip any any class CLS-NORMAL
> !
> policy access-list QOS1
> seq 10 permit tcp any eq www any class HTTP
> seq 11 permit tcp any eq 443 any class HTTP
> seq 20 permit tcp any eq ftp-data any class FTP
> seq 21 permit tcp any eq ftp any class FTP
> seq 22 permit icmp any any class HIPRIO
> seq 23 permit udp any eq domain any class HIPRIO
> seq 100 permit ip any any class class-default
> !
> ppp keepalive check-interval seconds 30 data-check
> !
> aaa authentication administrator local
> aaa authentication administrator maximum sessions 1
> aaa authentication subscriber radius
> radius coa server 10.0.0.1 encrypted-key XXXXXX port XXXX
> !
> radius server 10.0.0.1 encrypted-key XXXXXXXXXX
> !
> subscriber default
> port-limit 1
> ip source-validation
> qos policy queuing 128SharedUserRx
> dns primary 178.214.0.16
> dns secondary 178.214.0.14
> !
> ip route 0.0.0.0/0 context mrouter
> !
> !
> dhcp server policy
> nak-on-subnet-deletion
> option subnet-mask 255.255.255.0
> option domain-name-server 178.214.0.16 178.214.0.14
> option domain-name mtm-info.pl
> offer-lease-time 300
> default-lease-time 900
> maximum-lease-time 900
> subnet 178.214.2.192/27
> option subnet-mask 255.255.255.224
> option router 178.214.2.193
> subnet 178.214.2.224/27
> option subnet-mask 255.255.255.224
> option router 178.214.2.225
> subnet 192.168.100.0/24
> option subnet-mask 255.255.255.0
> option router 192.168.100.1
> !
> context mrouter
> !
> description REDBACK
> !
> no ip domain-lookup
> !
> interface mrouter2/3
> ip address 178.214.0.1/27
> ip address 10.0.0.2/27 secondary
> no logging console
> ip route 0.0.0.0/0 context bgp
> ip route 10.0.0.32/27 context routerek
> ip route 178.214.2.192/27 context routerek
> ip route 178.214.2.224/27 context routerek
> ip route 178.214.27.0/27 context routerek
> ip route 178.214.29.0/24 context routerek
> ip route 178.214.30.0/24 context routerek
> !
> ! ** End Context **
> logging tdm console
> logging active
> logging standby short
> !
> !
> !
> qos queue-map default
> num-queues 2
> queue 0 priority 0
> queue 1 priority 1 2 3 4 5 6 7
> num-queues 4
> queue 0 priority 0
> queue 1 priority 1 2
> queue 2 priority 3 4 5 6
> queue 3 priority 7
> num-queues 8
> queue 0 priority 0
> queue 1 priority 1
> queue 2 priority 2
> queue 3 priority 3
> queue 4 priority 4
> queue 5 priority 5
> queue 6 priority 6
> queue 7 priority 7
> !
> qos congestion-avoidance-map CONGEST2 pwfq
> queue 0 red profile-1 dscp 62 min-threshold 100 max-threshold 200 probability 5
> queue 1 red profile-1 dscp 45 min-threshold 100 max-threshold 200 probability 5
> queue 2 red profile-1 dscp af33 min-threshold 100 max-threshold 200 probability
> 5
> queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
> !
> qos congestion-avoidance-map CONGEST4 pwfq
> queue 0 red profile-1 dscp 50 min-threshold 100 max-threshold 200 probability 5
> queue 1 red profile-1 dscp 51 min-threshold 100 max-threshold 200 probability 5
> queue 2 red profile-1 dscp 52 min-threshold 100 max-threshold 200 probability 5
> queue 3 red profile-1 dscp df min-threshold 100 max-threshold 200 probability 5
> !
> qos policy 128SharedUserRx pwfq
> rate maximum 1152
> rate minimum 128
> num-queues 4
> queue 0 priority 0 weight 50
> queue 1 priority 0 weight 30
> queue 2 priority 0 weight 20
> queue 3 priority 0 weight 10
> !
> forward policy NORMALPOLICY
> ip access-group NORMAL_routerek routerek
> class CLS-NORMAL
> class CLS-DROP
> drop
> !
> qos policy QOS1OUT policing
> rate 1000 burst 100000
> ip access-group QOS1 routerek
> class HTTP
> mark dscp 45
> class HIPRIO
> mark dscp 62
> class FTP
> mark dscp af33
> class class-default
> mark dscp df
> !
> !
> qos policy QOS1POLICY metering
> rate 1000 burst 100000
> ip access-group QOS1 routerek
> class HTTP
> mark dscp 45
> class HIPRIO
> mark dscp 62
> class FTP
> mark dscp af33
> class class-default
> mark dscp df
> !
> qos policy QOSPOLICY metering
> rate 1000 burst 100000
> ip access-group QOS1 routerek
> class PRIO1
> mark dscp 50
> class PRIO2
> mark dscp 51
> class PRIO3
> mark dscp 52
> class class-default
> mark dscp df
> !
> !
> qos policy default pwfq
> rate maximum 1024
> rate minimum 128
> num-queues 1
> queue 0 priority 0 weight 100
> !
> qos policy default-in policing
> rate 2048 burst 750000
> rate-calculation exclude layer-2-overhead
> !
> qos policy default-out metering
> rate 2048 burst 750000
> rate-calculation exclude layer-2-overhead
> !
> forward policy payment-redirect
> ip access-group http-packets routerek
> class xyz
> redirect destination local
> class abc
> !
> forward policy test
> !
> !
> !
> !
> !
> system clock timezone pl 0 0 local
> !
> malicious-traffic
> logging rate-limit 20 burst 50
> !
> !
> http-redirect server
> port 80
> !
> !
> card ge2-10-port 2
> !
> port ethernet 2/1
> no shutdown
> encapsulation dot1q
> dot1q pvc 55 encapsulation multi
> service clips dhcp context routerek
> circuit protocol pppoe
> bind authentication chap context routerek
> !
> port ethernet 2/3
> description MROUTER
> no shutdown
> bind interface mrouter2/3 mrouter
> !
> port ethernet 2/10
> shutdown
> !
> !
> port ethernet 8/1
> ! XCRP management ports on slot 8 and 7 are configured through 8/1
> no shutdown
> bind interface mgnt local
> !
> boot configuration redback.cfg
> !
> ipv6 path-mtu-discovery discovery-interval 600
> !
> !
> ssh server rate-drop 50
> ssh server start-drop 5
> !
> system alarm redundancy suppress
> system hostname se600
> !
> timeout session idle 30
> !
> !
> !
> pppoe services marked-domains
> pppoe tag ac-name mtm-info.pl
> pppoe always-send-padt
> !
> end
> Thursday, October 31, 2013, 7:19:36 PM, you wrote:
>> How is the NAT policy applied? Please send complete subscriber configuration. Thanks.
>> On Thu, Oct 31, 2013 at 7:48 AM, Golem <golem at mtm-info.pl> wrote:
>> Hello
>> Still doesn't work.
>> My config:
>> nat logging-profile LogowanieNAT
>> transport-protocol udp
>> export-version v9
>> dscp ef
>> maximum ip-packet-size 1400
>> source 10.0.0.33 port 5000
>> destination 10.0.0.1 context mrouter port 5000
>> !
>> ip nat pool ip_test_lan1_nat napt paired-mode logging
>> paired-mode subscriber over-subscription 32 port-limit 2000
>> logging-profile LogowanieNat
>> address 178.214.29.1/32 port-block 1 to 15
>> address 178.214.29.2/32 port-block 1 to 15
>> !
>> ip nat pool ip_test_pppoe1_nat napt multibind
>> address 178.214.30.1/32 port-block 1 to 15
>> address 178.214.30.2/32 port-block 1 to 15
>> !
>> nat policy ip_test_lan1_nat_policy enhanced
>> ! Default class
>> pool ip_test_lan1_nat routerek
>> timeout tcp 18000
>> timeout abandoned 3600
>> endpoint-independent filtering tcp
>> endpoint-independent filtering udp
>> inbound-refresh udp
>> icmp-notification
>> !
>> nat policy ip_test_pppoe1_nat_policy
>> ! Default class
>> pool ip_test_pppoe1_nat routerek
>> timeout tcp 18000
>> endpoint-independent filtering udp
>> inbound-refresh udp
>> icmp-notification
>> interface loop1 loopback
>> ip address 10.0.0.33/27
>> ip source-address radius flow-ip
>> no logging console
>> I want log ip_test_lan1_nat which is now paired-mode, this context
>> have both paired-mode and multibind nat pool.
>> There is nothing received on collector 10.0.0.1 (no single packet
>> received). Collector using same interface as radius.
>> Is there something more which I have to check ?
>> I have also question about collector ip address. I suppiled
>> destination 10.0.0.1 context mrouter port 5000
>> because 10.0.0.1 is reachable over context mrouter. Is there any
>> debug command which shows if there flow is active ?
>> [routerek]se600#show nat pool
>> Pool-Grid Context-Id Type Rcrds Slot-Mask Pool-Name
>> 0x00000003 0x40080003 napt/M 2 0x00000000 ip_test_pppoe1_nat
>> 0x00000007 0x40080003 napt/PL 2 0x00000004 ip_test_lan1_nat
>> [routerek]se600#show nat logging-profile
>> Profile-Grid Context-Id Valid Profile-Name
>> 0x00000001 0x40080003 yes LogowanieNAT
>> Wednesday, October 30, 2013, 8:43:15 PM, you wrote:
>> And I'm assuming you have the license for CGNAT, right?
>> On Wed, Oct 30, 2013 at 4:40 PM, Tomas Lynch <tomas.lynch at gmail.com> wrote:
>> Rafal,
>> Problem is with keywords at the ip nat pool, you are using
>> multibind and must use paired-mode. Here is a complete config that was tested on a SE1200 SEOS 11.x:
>> context local
>> !
>> nat logging-profile LOGGING_PROF
>> transport-protocol udp
>> export-version v9
>> source 10.10.10.10 port 2055
>> destination 1.1.1.1 context local port 2055
>> dscp ef
>> !
>> ! the following can be at any context including local
>> !
>> ip nat pool NAT_POOL napt paired-mode logging
>> paired-mode subscriber over-subscription 100 port-limit 1000
>> logging-profile LOGGING_PROF context local
>> address 192.168.208.0/28
>> !
>> nat policy NAT_POLICY enhanced
>> ! Default class
>> pool NAT_POOL cgnat
>> timeout abandoned 3600
>> endpoint-independent filtering tcp
>> endpoint-independent filtering udp
>> inbound-refresh udp
>> icmp-notification
>> On Wed, Oct 30, 2013 at 10:58 AM, Golem <golem at mtm-info.pl> wrote:
>> Hello
>> Im trying to setup NAT logging, this is how my config looks:
>> context routerek
>> nat logging-profile LogowanieNAT
>> transport-protocol udp
>> export-version v9
>> source 11.0.0.33 port 5000
>> destination 11.0.0.1 port 5000
>> ip nat pool ip_test_lan1_nat napt multibind logging
>> logging-profile LogowanieNat
>> address 178.214.29.1/32 port-block 1 to 15
>> address 178.214.29.2/32 port-block 1 to 15
>> nat policy ip_test_lan1_nat_policy enhanced
>> ! Default class
>> pool ip_test_lan1_nat routerek
>> timeout tcp 18000
>> inbound-refresh udp
>> icmp-notification
>> !
>> interface loop1 loopback
>> ip address 11.0.0.33/27
>> ip source-address radius flow-ip
>> no logging console
>> !
>> !
>> ....
>> (config truncated)
>> NAT does work , there is internet access etc, but collector 11.0.0.1 (linux)
>> not receiving any packets on port 5000, tcpdump doesn't show anything.
>> How to debug Nat logging ? debug nat all - doesn't show anything useful about logging.
>> Do I need setup some additional config like flow collector/flow profile for nat logging
>> to make it working ?
>> Rafal
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
--
Best regards,
Ozga Rafal mailto:golem at mtm-info.pl
More information about the redback-nsp
mailing list