[rbak-nsp] NAT Logging

Tomas Lynch tomas.lynch at gmail.com
Thu Oct 31 14:19:36 EDT 2013 

How is the NAT policy applied? Please send complete subscriber
configuration. Thanks.


On Thu, Oct 31, 2013 at 7:48 AM, Golem <golem at mtm-info.pl> wrote:

>  Hello
> Still doesn't work.
>
> My config:
>
>  nat logging-profile LogowanieNAT
>   transport-protocol udp
>   export-version v9
>   dscp ef
>   maximum ip-packet-size 1400
>   source 10.0.0.33 port 5000
>   destination 10.0.0.1 context mrouter port 5000
>
> !
>
>  ip nat pool ip_test_lan1_nat napt paired-mode logging
>   paired-mode subscriber over-subscription 32 port-limit 2000
>
>   logging-profile LogowanieNat
>   address 178.214.29.1/32 port-block 1 to 15
>   address 178.214.29.2/32 port-block 1 to 15
> !
>
>  ip nat pool ip_test_pppoe1_nat napt multibind
>   address 178.214.30.1/32 port-block 1 to 15
>   address 178.214.30.2/32 port-block 1 to 15
>
>
> !
>  nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
>   pool ip_test_lan1_nat routerek
>   timeout tcp 18000
>   timeout abandoned 3600
>   endpoint-independent filtering tcp
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
> !
>  nat policy ip_test_pppoe1_nat_policy
> ! Default class
>   pool ip_test_pppoe1_nat routerek
>   timeout tcp 18000
>
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
>
>  interface loop1 loopback
>   ip address 10.0.0.33/27
>
>    ip source-address radius flow-ip
>  no logging console
>
>
>
>
>
>
> I want log ip_test_lan1_nat which is now paired-mode, this context have
> both paired-mode and multibind nat pool.
> There is nothing received on collector 10.0.0.1 (no single packet
> received). Collector using same interface as radius.
> Is there something more which I have to check ?
> I have also question about collector ip address. I suppiled destination
> 10.0.0.1 context mrouter port 5000
> because 10.0.0.1 is reachable over context mrouter. Is there any debug
> command which shows if there flow is active ?
>
>
>
>
>
> [routerek]se600#show nat pool
> Pool-Grid  Context-Id Type    Rcrds Slot-Mask  Pool-Name
> 0x00000003 0x40080003 napt/M      2 0x00000000 ip_test_pppoe1_nat
> 0x00000007 0x40080003 napt/PL     2 0x00000004 ip_test_lan1_nat
>
> [routerek]se600#show nat logging-profile
> Profile-Grid  Context-Id Valid Profile-Name
> 0x00000001    0x40080003 yes   LogowanieNAT
>
>
>
>
> Wednesday, October 30, 2013, 8:43:15 PM, you wrote:
>
>
>  And I'm assuming you have the license for CGNAT, right?
>
>
> On Wed, Oct 30, 2013 at 4:40 PM, Tomas Lynch <tomas.lynch at gmail.com>
> wrote:
> Rafal,
>
> Problem is with keywords at the ip nat pool, you are using multibind and
> must use paired-mode. Here is a complete config that was tested on a SE1200
> SEOS 11.x:
>
> context local
> !
>  nat logging-profile LOGGING_PROF
>   transport-protocol udp
>   export-version v9
>   source 10.10.10.10 port 2055
>   destination 1.1.1.1 context local port 2055
>   dscp ef
> !
> ! the following can be at any context including local
> !
>  ip nat pool NAT_POOL napt paired-mode logging
>   paired-mode subscriber over-subscription 100 port-limit 1000
>   logging-profile LOGGING_PROF context local
>   address 192.168.208.0/28
> !
>  nat policy NAT_POLICY enhanced
> ! Default class
>   pool NAT_POOL cgnat
>   timeout abandoned 3600
>   endpoint-independent filtering tcp
>   endpoint-independent filtering udp
>   inbound-refresh udp
>   icmp-notification
>
>
>
>
> On Wed, Oct 30, 2013 at 10:58 AM, Golem <golem at mtm-info.pl> wrote:
> Hello
>
> Im trying to setup NAT logging, this is how my config looks:
>
> context routerek
>
>
>  nat logging-profile LogowanieNAT
>   transport-protocol udp
>   export-version v9
>   source 11.0.0.33 port 5000
>   destination 11.0.0.1 port 5000
>
>
>  ip nat pool ip_test_lan1_nat napt multibind logging
>   logging-profile LogowanieNat
>   address 178.214.29.1/32 port-block 1 to 15
>   address 178.214.29.2/32 port-block 1 to 15
>
>
>   nat policy ip_test_lan1_nat_policy enhanced
> ! Default class
>   pool ip_test_lan1_nat routerek
>   timeout tcp 18000
>   inbound-refresh udp
>   icmp-notification
> !
>  interface loop1 loopback
>   ip address 11.0.0.33/27
>    ip source-address radius flow-ip
>  no logging console
> !
> !
> ....
> (config truncated)
>
>
>
> NAT does work , there is internet access etc, but collector 11.0.0.1
> (linux)
> not receiving any packets on port 5000, tcpdump doesn't show anything.
> How to debug Nat logging ? debug nat all - doesn't show anything useful
> about logging.
> Do I need setup some additional config like flow collector/flow profile
> for nat logging
> to make it working ?
>
> Rafal
>
>
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>
>
> *--
> Best regards,
> Ozga Rafal                          mailto:golem at mtm-info.pl<golem at mtm-info.pl>
> *
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20131031/0d834d48/attachment.html>

More information about the redback-nsp mailing list