[rbak-nsp] NAT Logging

Yuri Shefer shefys at gmail.com
Thu Oct 31 11:28:46 EDT 2013 

Hi,

How is your collector connected to the SE: over management or over line
card port? The CGNAT logging flows will be only transferred over line card
ports, in other words you cannot use management interface for CGNAT logging.


On Thu, Oct 31, 2013 at 3:48 AM, Golem <golem at mtm-info.pl> wrote:

>  Hello
> Still doesn't work.
>
> My config:
>
>  nat logging-profile LogowanieNAT
>   transport-protocol udp
>   export-version v9
>   dscp ef
>   maximum ip-packet-size 1400
>   source 10.0.0.33 port 5000
>   destination 10.0.0.1 context mrouter port 5000
>
> !
>
>  ip nat pool ip_test_lan1_nat napt paired-mode logging
>   paired-mode subscriber over-subscription 32 port-limit 2000
>
>   logging-profile LogowanieNat
>   address 178.214.29.1/32 port-block 1 to 15
>   address 178.214.29.2/32 port-block 1 to 15
> !
>
>  ip nat pool ip_test_pppoe1_nat napt multibind
>   address 178.214.30.1/32 port-block 1 to 15
>   address 178.214.30.2/32 port-block 1 to 15
>
>
> !
>  nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
>   pool ip_test_lan1_nat routerek
>   timeout tcp 18000
>   timeout abandoned 3600
>   endpoint-independent filtering tcp
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
> !
>  nat policy ip_test_pppoe1_nat_policy
> ! Default class
>   pool ip_test_pppoe1_nat routerek
>   timeout tcp 18000
>
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
>
>  interface loop1 loopback
>   ip address 10.0.0.33/27
>
>    ip source-address radius flow-ip
>  no logging console
>
>
>
>
>
>
> I want log ip_test_lan1_nat which is now paired-mode, this context have
> both paired-mode and multibind nat pool.
> There is nothing received on collector 10.0.0.1 (no single packet
> received). Collector using same interface as radius.
> Is there something more which I have to check ?
> I have also question about collector ip address. I suppiled destination
> 10.0.0.1 context mrouter port 5000
> because 10.0.0.1 is reachable over context mrouter. Is there any debug
> command which shows if there flow is active ?
>
>
>
>
>
> [routerek]se600#show nat pool
> Pool-Grid  Context-Id Type    Rcrds Slot-Mask  Pool-Name
> 0x00000003 0x40080003 napt/M      2 0x00000000 ip_test_pppoe1_nat
> 0x00000007 0x40080003 napt/PL     2 0x00000004 ip_test_lan1_nat
>
> [routerek]se600#show nat logging-profile
> Profile-Grid  Context-Id Valid Profile-Name
> 0x00000001    0x40080003 yes   LogowanieNAT
>
>
>
>
> Wednesday, October 30, 2013, 8:43:15 PM, you wrote:
>
>
>  And I'm assuming you have the license for CGNAT, right?
>
>
> On Wed, Oct 30, 2013 at 4:40 PM, Tomas Lynch <tomas.lynch at gmail.com>
> wrote:
> Rafal,
>
> Problem is with keywords at the ip nat pool, you are using multibind and
> must use paired-mode. Here is a complete config that was tested on a SE1200
> SEOS 11.x:
>
> context local
> !
>  nat logging-profile LOGGING_PROF
>   transport-protocol udp
>   export-version v9
>   source 10.10.10.10 port 2055
>   destination 1.1.1.1 context local port 2055
>   dscp ef
> !
> ! the following can be at any context including local
> !
>  ip nat pool NAT_POOL napt paired-mode logging
>   paired-mode subscriber over-subscription 100 port-limit 1000
>   logging-profile LOGGING_PROF context local
>   address 192.168.208.0/28
> !
>  nat policy NAT_POLICY enhanced
> ! Default class
>   pool NAT_POOL cgnat
>   timeout abandoned 3600
>   endpoint-independent filtering tcp
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
>
>
>
> On Wed, Oct 30, 2013 at 10:58 AM, Golem <golem at mtm-info.pl> wrote:
> Hello
>
> Im trying to setup NAT logging, this is how my config looks:
>
> context routerek
>
>
>  nat logging-profile LogowanieNAT
>   transport-protocol udp
>   export-version v9
>   source 11.0.0.33 port 5000
>   destination 11.0.0.1 port 5000
>
>
>  ip nat pool ip_test_lan1_nat napt multibind logging
>   logging-profile LogowanieNat
>   address 178.214.29.1/32 port-block 1 to 15
>   address 178.214.29.2/32 port-block 1 to 15
>
>
>   nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
>   pool ip_test_lan1_nat routerek
>   timeout tcp 18000
>   inbound-refresh udp
>   icmp-notification
> !
>  interface loop1 loopback
>   ip address 11.0.0.33/27
>    ip source-address radius flow-ip
>  no logging console
> !
> !
> ....
> (config truncated)
>
>
>
> NAT does work , there is internet access etc, but collector 11.0.0.1
> (linux)
> not receiving any packets on port 5000, tcpdump doesn't show anything.
> How to debug Nat logging ? debug nat all - doesn't show anything useful
> about logging.
> Do I need setup some additional config like flow collector/flow profile
> for nat logging
> to make it working ?
>
> Rafal
>
>
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>
>
> *--
> Best regards,
> Ozga Rafal                          mailto:golem at mtm-info.pl<golem at mtm-info.pl>
> *
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>


-- 
Best regards,
Yuri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20131031/f098b653/attachment.html>

More information about the redback-nsp mailing list