Новые ответы

Cisco 3640, NAT & NetFlow,

Dmitriy Sirant, 21-Фев-06, 14:03 [смотреть все]

Имеем:
cisco-3640#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IO3-M), Version 12.2(32), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 02-Dec-05 15:19 by
Image text-base: 0x60008930, data-base: 0x60A88000
ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
cisco-3640 uptime is 4 hours, 3 minutes
System returned to ROM by reload
System image file is "flash:c3640-io3-mz.122-32.bin"
cisco 3640 (R4700) processor (revision 0x00) with 61440K/4096K bytes of memory.
Processor board ID 21961002
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Проблема, что траффик идущий через NAT не попадает в NetFlow, а именно:
04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15, len 40, policy match
04:04:36: IP: route map netflow_nat, item 10, permit
04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15 (Loopback0), len 40, policy routed
04:04:36: IP: Ethernet0/0 to Loopback0 192.168.23.15
а cisco-3640#sh ip cache flow | include 66.225.214.106
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 100C     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 100F     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 1008     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 1007     3
Et0/1         192.168.23.15   Et0/0         66.225.214.106  06 0F57 22B8    22
Et0/0         66.225.214.106  Null          192.168.23.15   06 22B8 0F57    25
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EAA     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EA6     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EE3     6
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EC3     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0E71     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FA9     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FBB     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F8C     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F8F     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F98     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F94     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FEF     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FE7     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FE3     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FF2     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FF3     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FCF     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FC5     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FD4     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F1C     9
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F19     6
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F1A     4
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F6A     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F64     4
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F7F     3
т.е. с помощью route-map я его перенаправил на интерфейс loopback, а он всеравно не попадает в netflow...

Ответить | Сообщить модератору

Cisco 3640, NAT & NetFlow, NoSe, 01:16 , 23-Фев-06 (1)
конфигурацию в этом случае не плохо бы показать...
Ответить | Сообщить модератору

Cisco 3640, NAT & NetFlow, Dmitriy Sirant, 11:43 , 23-Фев-06 (2)
>конфигурацию в этом случае не плохо бы показать...
Внешний интерфейс Eth0/0
Внутрение Eth0/1, Fast2/0
Статистика льется через внутренний Fast2/0
Помимо вышеуказанной проблемы есть еще одна, из этой же области. Не все, даже с двух сторон с реальными IP потоки выливаются в статистику (тоже при  sh ip cache flow в DstInt стоит null), причем другой поток между этими IP может записаться. Ни в какие ACL (блокирующие) неучтенный поток не попадает.
Current configuration : 12674 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco-3640
!
boot system flash c3640-io3-mz.122-32.bin
no logging console guaranteed
aaa new-model
!
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip flow-cache entries 4094
ip flow-cache timeout inactive 240
ip flow-cache timeout active 45
ip cef
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Loopback0
ip address 193.xxx.xxx.225 255.255.255.255
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no keepalive
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
ip access-group 199 in
ip mtu 1470
ip nat inside
ip route-cache flow
no ip mroute-cache
tunnel source 172.16.1.1
tunnel destination 172.16.0.1
tunnel mode ipip
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0 secondary
ip address 195.xxx.xxx.66 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no ip mroute-cache
ip policy route-map netflow_nat
no keepalive
half-duplex
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 192.168.4.250 255.255.255.0 secondary
ip address 193.xxx.xxx.253 255.255.255.252 secondary
ip address 193.xxx.xxx.65 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit input access-group 115 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 117 256000 48000 96000 conform-action transmit exceed-action drop
rate-limit input access-group 119 64000 12000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 121 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 123 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 125 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 127 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 129 64000 12000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 131 64000 12000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 135 64000 12000 24000 conform-action transmit exceed-action drop
rate-limit input access-group 137 128000 24000 48000 conform-action transmit exceed-action drop
rate-limit input access-group 139 64000 12000 24000 conform-action transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
no keepalive
half-duplex
traffic-shape group 116 96000 12000 12000 128
traffic-shape group 118 256000 32000 32000 128
traffic-shape group 120 64000 8000 8000 128
traffic-shape group 122 96000 12000 12000 128
traffic-shape group 124 96000 12000 12000 128
traffic-shape group 126 96000 12000 12000 128
traffic-shape group 128 96000 12000 12000 128
traffic-shape group 130 64000 8000 8000 128
traffic-shape group 132 64000 8000 8000 128
traffic-shape group 136 64000 8000 8000 128
traffic-shape group 138 128000 16000 16000 128
traffic-shape group 140 64000 8000 8000 128
no cdp enable
!
interface Serial0/1
no ip address
shutdown
!
interface FastEthernet2/0
ip address 193.xxx.xxx.9 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit input access-group 111 512000 96000 192000 conform-action transmit exceed-action drop
rate-limit input access-group 113 96000 18000 36000 conform-action transmit exceed-action drop
rate-limit input access-group 133 32000 6000 12000 conform-action transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
no keepalive
speed 100
full-duplex
traffic-shape group 112 512000 32000 32000 512
traffic-shape group 114 96000 12000 12000 128
traffic-shape group 134 32000 4000 4000 128
no cdp enable
!
ip nat inside source list 5 interface Ethernet0/0 overload
ip nat inside source list 102 interface Ethernet0/0 overload
ip flow-export source FastEthernet2/0
ip flow-export version 5
ip flow-export destination 193.xxx.xxx.1 2100
ip classless
no ip http server
!
access-list 5 permit 192.168.1.249
access-list 5 permit 192.168.1.253
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.12.0 0.0.0.255
access-list 5 permit 192.168.14.0 0.0.0.255
access-list 5 permit 192.168.23.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 5 permit 192.168.29.0 0.0.0.255
access-list 5 permit 192.168.20.0 0.0.0.255
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.30.0 0.0.0.255
access-list 102 permit ip any host 212.109.57.226
access-list 102 permit ip any host 213.186.198.70
access-list 102 permit ip any host 62.244.21.62
access-list 102 permit ip any host 212.82.220.134
access-list 103 permit ip any 192.168.0.0 0.0.255.255
access-list 199 remark Zhashishaemsa ot nekotorih virusov
access-list 199 deny   tcp any any eq 135
access-list 199 deny   udp any any eq 135
access-list 199 permit ip any any
!
route-map netflow_nat permit 10
match ip address 103
set interface Loopback0 Ethernet0/0
!
line con 0
line aux 0
line vty 0 4
!
end
Ответить | Сообщить модератору

Cisco 3640, NAT & NetFlow, ser00, 13:41 , 28-Фев-06 (3)
Вот рабочий конфиг моей кошки
IOS
c3640-jk9o3s-mz.123-14.T3.bin
Current configuration : 2452 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname igate
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting nested
aaa accounting update newinfo
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
clock timezone IRK 8
clock summer-time IRK recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip flow-egress input-interface
ip flow-cache timeout inactive 60
ip flow-cache timeout active 1
!
!
ip cef
no ip domain lookup
ip domain name angarskhome.net
ip name-server 192.168.2.10
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
vpdn-group 2
accept-dialin
protocol pppoe
virtual-template 2
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Ethernet0/0
ip address 192.168.2.20 255.255.255.0
no ip redirects
full-duplex
pppoe enable
!
interface Ethernet0/1
ip address XXX.XXX.XXX.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache policy
full-duplex
!
interface Virtual-Template1
mtu 1460
bandwidth 1024
ip unnumbered Ethernet0/0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
delay 200
autodetect encapsulation ppp
no keepalive
ppp authentication chap callin
!
interface Virtual-Template2
mtu 1492
bandwidth 1024
ip unnumbered Ethernet0/0
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
delay 200
autodetect encapsulation ppp
no keepalive
ppp authentication pap callin
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.10
ip flow-export version 5
ip flow-export destination 192.168.2.10 9996
!
!
ip nat inside source list 4 interface Ethernet0/1 overload
!
access-list 4 permit 10.0.0.0 0.0.255.255
access-list 108 permit ip any 10.0.0.0 0.0.255.255
!
!
radius-server host 192.168.2.10 auth-port 1812 acct-port 1813
radius-server key ciscanasP@S
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
Ответить | Сообщить модератору