URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 19634
[ Назад ]

Исходное сообщение
"nat из global в vrf"

Отправлено OVDP , 17-Сен-09 07:57 
Приветствую уважаемые!

подскажите как можно решить следующую задачку:

необходимо выделить пользователю в VRF как бы белый айпи, для того что бы до него достучаться из DMZ или OUTSIDE (тырнет)

соорудил в лабе следующий конфиг (c7200-advipservicesk9-mz.122-33.SRC2):

ip subnet-zero
ip vrf EDGE1
rd 200:100
!
ip cef
!
interface GigabitEthernet2/0
description DMZ1
ip address 192.168.12.30 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet3/0
description INSIDE1
ip vrf receive EDGE1
ip address 192.168.13.30 255.255.255.0
ip nat inside
ip policy route-map INSIDE1
negotiation auto
!
interface GigabitEthernet4/0
description EDGE1
ip vrf forwarding EDGE1
ip address 10.0.0.1 255.255.255.0
ip nat outside
negotiation auto
!
interface GigabitEthernet5/0
description OUTSIDE1
ip address х.х.х.х 255.255.255.0
ip nat outside
negotiation auto
!
ip nat outside source static 10.0.0.2 192.168.255.254 vrf EDGE1
ip classless
ip route 0.0.0.0 0.0.0.0 х.х.х.х
ip route 192.168.255.254 255.255.255.255 GigabitEthernet4/0 10.0.0.2
ip route vrf EDGE1 0.0.0.0 0.0.0.0 GigabitEthernet5/0 х.х.х.х
ip route vrf EDGE1 192.168.12.0 255.255.255.0 GigabitEthernet2/0 192.168.12.50

пингую с еджа (вроде всё норм):

edge#ping 192.168.12.50 r 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.12.50, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 136/136/136 ms

дебаг на центральном рутере:

00:27:28: IP: s=10.0.0.2 (GigabitEthernet4/0), d=192.168.12.50, len 100, input feature
00:27:28:     ICMP type=8, code=0, NAT Outside(44), rtype 0, forus FALSE, sendself FALSE, mtu 0
00:27:28: FIBipv4-packet-proc: route packet from GigabitEthernet4/0 src 10.0.0.2 dst 192.168.12.50
00:27:28: FIBipv4-packet-proc: packet routing succeeded
00:27:28: IP: tableid=1, s=10.0.0.2 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), routed via FIB
00:27:28: NAT: Processing out-2-in packet in after_routing2
00:27:28: NAT: s=10.0.0.2->192.168.255.254, d=192.168.12.50 [67]
00:27:28: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), len 100, output feature
00:27:28:     ICMP type=8, code=0, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0
00:27:28: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), g=192.168.12.50, len 100, forward
00:27:28:     ICMP type=8, code=0
00:27:28: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), len 100, sending full packet
00:27:28:     ICMP type=8, code=0
00:27:28: NAT*: i: icmp (192.168.12.50, 39) -> (192.168.255.254, 39) [67]
00:27:28: NAT*: s=192.168.12.50, d=192.168.255.254->10.0.0.2 [67]                                

пингую из дмз (нифига не норм):

dmz#ping 192.168.255.254 r 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.255.254, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)

дебаг на центральном рутере:

00:29:35: IP: s=10.0.0.2 (GigabitEthernet4/0), d=192.168.12.50, len 100, input feature
00:29:35:     ICMP type=8, code=0, NAT Outside(44), rtype 0, forus FALSE, sendself FALSE, mtu 0
00:29:35: FIBipv4-packet-proc: route packet from GigabitEthernet4/0 src 10.0.0.2 dst 192.168.12.50
00:29:35: FIBipv4-packet-proc: packet routing succeeded
00:29:35: IP: tableid=1, s=10.0.0.2 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), routed via FIB
00:29:35: NAT: Processing out-2-in packet in after_routing2
00:29:35: NAT: s=10.0.0.2->192.168.255.254, d=192.168.12.50 [68]
00:29:35: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), len 100, output feature
00:29:35:     ICMP type=8, code=0, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0
00:29:35: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), g=192.168.12.50, len 100, forward
00:29:35:     ICMP type=8, code=0
00:29:35: IP: s=192.168.255.254 (GigabitEthernet4/0), d=192.168.12.50 (GigabitEthernet2/0), len 100, sending full packet
00:29:35:     ICMP type=8, code=0
00:29:35: NAT*: i: icmp (192.168.12.50, 40) -> (192.168.255.254, 40) [68]
00:29:35: NAT*: s=192.168.12.50, d=192.168.255.254->10.0.0.2 [68]
00:29:44: NAT*: Can't create new inside entry - forced_punt_flags: 0
00:29:45: IP: s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254, len 100, input feature
00:29:45:     ICMP type=8, code=0, NAT Outside(44), rtype 0, forus FALSE, sendself FALSE, mtu 0
00:29:45: FIBipv4-packet-proc: route packet from GigabitEthernet4/0 src 192.168.12.50 dst 192.168.255.254
00:29:45: FIBfwd-proc: EDGE1:192.168.255.254/32 recieve entry
00:29:45: FIBipv4-packet-proc: packet routing failed
00:29:45: IP: tableid=1, s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254 (GigabitEthernet5/0), routed via RIB
00:29:45: IP: s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254 (GigabitEthernet5/0), len 100, output feature
00:29:45:     ICMP type=8, code=0, Post-routing NAT Outside(15), rtype 1, forus FALSE, sendself FALSE, mtu 0
00:29:45: IP: s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254 (GigabitEthernet5/0), g=62.213.52.1, len 100, forward
00:29:45:     ICMP type=8, code=0
00:29:45: IP: s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254 (GigabitEthernet5/0), len 100, sending full packet
00:29:45:     ICMP type=8, code=0
00:29:45: IP: s=192.168.12.50 (GigabitEthernet4/0), d=192.168.255.254, len 100, input feature
00:29:45:     ICMP type=8, code=0, NAT Outside(44), rtype 0, forus FALSE, sendself FALSE, mtu 0
00:29:45: FIBipv4-packet-proc: route packet from GigabitEthernet4/0 src 192.168.12.50 dst 192.168.255.254
00:29:45: FIBfwd-proc: EDGE1:192.168.255.254/32 recieve entry
00:29:45: FIBipv4-packet-proc: packet routing failed                                              

то есть в одну сторону ходит а в другую не ходит :( для меня важнее как раз из дмз или аутсайда ходить в vrf...

помогите пожалуйста, ааа?


                                                                      


Содержание

Сообщения в этом обсуждении
"nat из global в vrf"
Отправлено OVDP , 18-Сен-09 05:31 
>[оверквотинг удален]
>00:29:45: FIBipv4-packet-proc: packet routing failed
>
>то есть в одну сторону ходит а в другую не ходит :(
>для меня важнее как раз из дмз или аутсайда ходить в
>vrf...
>
>помогите пожалуйста, ааа?
>
>
>

нашел в чем грабля, может кому нить будет полезно:
строку ip nat outside source static 10.0.0.2 192.168.255.254 vrf EDGE1
заменил на ip nat outside source static 10.0.0.2 192.168.255.254