forum.opennet.ru

Составление сообщения

Исходное сообщение

"Не работает связка Netflow + NAT"
Отправлено tyomikh, 27-Фев-06 15:52

все делал по докам и соображениям здравого смысла, но все равно не работает
sh run
Current configuration : 5656 bytes
!
! Last configuration change at 15:32:53 msk Mon Feb 27 2006 by admin
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname gw
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-5.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 x
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone msk 3
clock summer-time msk recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
ip cef
!
!
ip inspect max-incomplete low 25
ip inspect max-incomplete high 100
ip inspect one-minute low 25
ip inspect one-minute high 100
ip inspect name ext smtp alert on
ip inspect name ext http alert on
ip inspect name ext ftp alert on
ip inspect name ext tcp alert on
ip inspect name ext udp alert on
ip inspect name ext icmp alert on
ip inspect name ext ssh alert on
ip inspect name ext telnet alert on
!
!
no ip domain lookup
ip domain name x
ip ssh authentication-retries 2
ip rcmd rsh-enable
ip rcmd remote-host tr_acct 192.168.40.2 administrator enable 3
!
!
!
username admin privilege 15 secret 5 x
username remoteUser secret 5 x
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group x
key x
pool IRP_vpn
acl 108
!
!
crypto ipsec transform-set vpnTransSet esp-3des esp-sha-hmac
!
crypto dynamic-map dynMap 10
set transform-set vpnTransSet
!
!
crypto map irp_vpn_map client authentication list userauthen
crypto map irp_vpn_map isakmp authorization list groupauthor
crypto map irp_vpn_map client configuration address respond
crypto map irp_vpn_map 10 ipsec-isakmp dynamic dynMap
!
!
!
interface Loopback0
ip address 192.168.254.1 255.255.255.0
ip virtual-reassembly
ip route-cache flow
!
interface FastEthernet0/0
description WAN
ip address 195.178.213.83 255.255.255.248
ip access-group ext_if_in in
ip access-group ext_if_out out
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect ext in
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map l00p
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
ip local pool IRP_vpn 192.168.100.1 192.168.100.10
ip route 0.0.0.0 0.0.0.0 195.178.213.81
ip flow-export version 5
!
no ip http server
no ip http secure-server
ip nat pool internal2outside 195.178.213.84 195.178.213.84 netmask 255.255.255.248
ip nat inside source list 1 pool internal2outside overload
!
ip access-list extended ext_if_in
evaluate ip_out
permit tcp any host 195.178.213.83 eq 22
permit udp any host 195.178.213.83 eq isakmp
permit udp host 204.34.198.40 eq ntp host 195.178.213.83 eq ntp
deny   ip any any log
ip access-list extended ext_if_out
permit ip 195.178.213.80 0.0.0.7 any reflect ip_out
deny   ip any any log
!
access-list 101 permit ip any 192.168.40.0 0.0.0.255
access-list 108 permit ip any any
route-map l00p permit 10
match ip address 101
set interface Loopback0 FastEthernet0/1
!
!
!
control-plane
!
privilege exec level 3 show ip accounting
privilege exec level 3 show ip
privilege exec level 3 show
privilege exec level 3 clear ip accounting
privilege exec level 3 clear ip
privilege exec level 3 clear
!
line con 0
line aux 0
line vty 0 4
access-class 31 in
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input telnet
!
ntp clock-period 17178386
ntp server 204.34.198.40
end
gw#sh ip cache flow
IP packet size distribution (24632 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .488 .124 .215 .024 .017 .011 .004 .004 .005 .005 .002 .002 .004 .003
    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .001 .001 .002 .015 .065 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
  7 active, 4089 inactive, 2198 added
  31664 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 21640 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet          22      0.0       107    41      1.0      28.1      15.5
TCP-WWW            970      0.4         6   427      2.6       1.6       4.3
TCP-SMTP            35      0.0        10   232      0.1       5.7       6.7
TCP-other          445      0.1        27   115      5.2      12.9      13.0
UDP-DNS             49      0.0         3    66      0.0       4.9      15.5
UDP-NTP             33      0.0         1    76      0.0       0.4      15.6
UDP-other           76      0.0         2   218      0.0       2.2      15.5
Total:            1630      0.6        13   200      9.2       5.3       8.0
SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/1         192.168.40.2    Fa0/0         85.140.17.215   06 0016 0940   939     я удаленно зашел на сервер
Fa0/0         85.140.17.215   Null          192.168.40.2    06 0940 0016  1864     через статич.NAT трансляцию
Fa0/1         192.168.40.2    Local         192.168.40.1    06 0F83 0017     4     я зателнетился на циску с сервера
Fa0/0         194.67.23.205   Local         195.178.213.84  06 07F9 0985     1
Fa0/1         195.178.213.84  Fa0/0         194.67.23.205   06 0985 07F9     1
Fa0/1         195.178.213.84  Fa0/0         64.12.162.70    06 048E 1446     1
Fa0/0         64.12.162.70    Local         195.178.213.84  06 1446 048E     1
Самое интересное, что статич.трансляции нормально экспортятся в нетфлоу, но 4 последних - заНАТченные сессии пользователей отображаются не верно... (
Где грабли?

Исходное сообщение
"Не работает связка Netflow + NAT" Отправлено tyomikh, 27-Фев-06 15:52
все делал по докам и соображениям здравого смысла, но все равно не работает sh run Current configuration : 5656 bytes ! ! Last configuration change at 15:32:53 msk Mon Feb 27 2006 by admin ! version 12.4 service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname gw ! boot-start-marker boot system flash c1841-advsecurityk9-mz.124-5.bin boot-end-marker ! logging buffered 4096 debugging enable secret 5 x ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! clock timezone msk 3 clock summer-time msk recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no ip source-route ip cef ! ! ip inspect max-incomplete low 25 ip inspect max-incomplete high 100 ip inspect one-minute low 25 ip inspect one-minute high 100 ip inspect name ext smtp alert on ip inspect name ext http alert on ip inspect name ext ftp alert on ip inspect name ext tcp alert on ip inspect name ext udp alert on ip inspect name ext icmp alert on ip inspect name ext ssh alert on ip inspect name ext telnet alert on ! ! no ip domain lookup ip domain name x ip ssh authentication-retries 2 ip rcmd rsh-enable ip rcmd remote-host tr_acct 192.168.40.2 administrator enable 3 ! ! ! username admin privilege 15 secret 5 x username remoteUser secret 5 x ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group x key x pool IRP_vpn acl 108 ! ! crypto ipsec transform-set vpnTransSet esp-3des esp-sha-hmac ! crypto dynamic-map dynMap 10 set transform-set vpnTransSet ! ! crypto map irp_vpn_map client authentication list userauthen crypto map irp_vpn_map isakmp authorization list groupauthor crypto map irp_vpn_map client configuration address respond crypto map irp_vpn_map 10 ipsec-isakmp dynamic dynMap ! ! ! interface Loopback0 ip address 192.168.254.1 255.255.255.0 ip virtual-reassembly ip route-cache flow ! interface FastEthernet0/0 description WAN ip address 195.178.213.83 255.255.255.248 ip access-group ext_if_in in ip access-group ext_if_out out no ip redirects no ip unreachables no ip proxy-arp ip inspect ext in ip nat outside ip virtual-reassembly ip route-cache flow ip policy route-map l00p duplex auto speed auto ! interface FastEthernet0/1 description LAN ip address 192.168.40.1 255.255.255.0 ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto ! ip local pool IRP_vpn 192.168.100.1 192.168.100.10 ip route 0.0.0.0 0.0.0.0 195.178.213.81 ip flow-export version 5 ! no ip http server no ip http secure-server ip nat pool internal2outside 195.178.213.84 195.178.213.84 netmask 255.255.255.248 ip nat inside source list 1 pool internal2outside overload ! ip access-list extended ext_if_in evaluate ip_out permit tcp any host 195.178.213.83 eq 22 permit udp any host 195.178.213.83 eq isakmp permit udp host 204.34.198.40 eq ntp host 195.178.213.83 eq ntp deny ip any any log ip access-list extended ext_if_out permit ip 195.178.213.80 0.0.0.7 any reflect ip_out deny ip any any log ! access-list 101 permit ip any 192.168.40.0 0.0.0.255 access-list 108 permit ip any any route-map l00p permit 10 match ip address 101 set interface Loopback0 FastEthernet0/1 ! ! ! control-plane ! privilege exec level 3 show ip accounting privilege exec level 3 show ip privilege exec level 3 show privilege exec level 3 clear ip accounting privilege exec level 3 clear ip privilege exec level 3 clear ! line con 0 line aux 0 line vty 0 4 access-class 31 in privilege level 15 transport input ssh line vty 5 15 privilege level 15 transport input telnet ! ntp clock-period 17178386 ntp server 204.34.198.40 end gw#sh ip cache flow IP packet size distribution (24632 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .488 .124 .215 .024 .017 .011 .004 .004 .005 .005 .002 .002 .004 .003 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .001 .001 .002 .015 .065 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 7 active, 4089 inactive, 2198 added 31664 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 21640 bytes 0 active, 1024 inactive, 0 added, 0 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 22 0.0 107 41 1.0 28.1 15.5 TCP-WWW 970 0.4 6 427 2.6 1.6 4.3 TCP-SMTP 35 0.0 10 232 0.1 5.7 6.7 TCP-other 445 0.1 27 115 5.2 12.9 13.0 UDP-DNS 49 0.0 3 66 0.0 4.9 15.5 UDP-NTP 33 0.0 1 76 0.0 0.4 15.6 UDP-other 76 0.0 2 218 0.0 2.2 15.5 Total: 1630 0.6 13 200 9.2 5.3 8.0 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/1 192.168.40.2 Fa0/0 85.140.17.215 06 0016 0940 939 я удаленно зашел на сервер Fa0/0 85.140.17.215 Null 192.168.40.2 06 0940 0016 1864 через статич.NAT трансляцию Fa0/1 192.168.40.2 Local 192.168.40.1 06 0F83 0017 4 я зателнетился на циску с сервера Fa0/0 194.67.23.205 Local 195.178.213.84 06 07F9 0985 1 Fa0/1 195.178.213.84 Fa0/0 194.67.23.205 06 0985 07F9 1 Fa0/1 195.178.213.84 Fa0/0 64.12.162.70 06 048E 1446 1 Fa0/0 64.12.162.70 Local 195.178.213.84 06 1446 048E 1 Самое интересное, что статич.трансляции нормально экспортятся в нетфлоу, но 4 последних - заНАТченные сессии пользователей отображаются не верно... ( Где грабли?

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> все делал по докам и соображениям здравого смысла, но все равно не 
> работает

> sh run 
> Current configuration : 5656 bytes 
> !
> ! Last configuration change at 15:32:53 msk Mon Feb 27 2006 by 
> admin 
> !
> version 12.4 
> service timestamps debug datetime msec localtime 
> service timestamps log datetime msec localtime 
> service password-encryption 
> !
> hostname gw 
> !
> boot-start-marker 
> boot system flash c1841-advsecurityk9-mz.124-5.bin 
> boot-end-marker 
> !
> logging buffered 4096 debugging 
> enable secret 5 x 
> !
> aaa new-model 
> !
> !
> aaa authentication login userauthen local 
> aaa authorization network groupauthor local 
> !
> aaa session-id common 
> !
> resource policy 
> !
> clock timezone msk 3 
> clock summer-time msk recurring 
> mmi polling-interval 60 
> no mmi auto-configure 
> no mmi pvc 
> mmi snmp-timeout 180 
> no ip source-route 
> ip cef 
> !
> !
> ip inspect max-incomplete low 25 
> ip inspect max-incomplete high 100 
> ip inspect one-minute low 25 
> ip inspect one-minute high 100 
> ip inspect name ext smtp alert on 
> ip inspect name ext http alert on 
> ip inspect name ext ftp alert on 
> ip inspect name ext tcp alert on 
> ip inspect name ext udp alert on 
> ip inspect name ext icmp alert on 
> ip inspect name ext ssh alert on 
> ip inspect name ext telnet alert on 
> !
> !
> no ip domain lookup 
> ip domain name x 
> ip ssh authentication-retries 2 
> ip rcmd rsh-enable 
> ip rcmd remote-host tr_acct 192.168.40.2 administrator enable 3 
> !
> !
> !
> username admin privilege 15 secret 5 x 
> username remoteUser secret 5 x 
> !
> !
> !
> crypto isakmp policy 3 
>  encr 3des 
>  authentication pre-share 
>  group 2 
> !
> crypto isakmp client configuration group x 
>  key x 
>  pool IRP_vpn 
>  acl 108 
> !
> !
> crypto ipsec transform-set vpnTransSet esp-3des esp-sha-hmac 
> !
> crypto dynamic-map dynMap 10 
>  set transform-set vpnTransSet 
> !
> !
> crypto map irp_vpn_map client authentication list userauthen 
> crypto map irp_vpn_map isakmp authorization list groupauthor 
> crypto map irp_vpn_map client configuration address respond 
> crypto map irp_vpn_map 10 ipsec-isakmp dynamic dynMap 
> !
> !
> !
> interface Loopback0 
>  ip address 192.168.254.1 255.255.255.0 
>  ip virtual-reassembly 
>  ip route-cache flow 
> !
> interface FastEthernet0/0 
>  description WAN 
>  ip address 195.178.213.83 255.255.255.248 
>  ip access-group ext_if_in in 
>  ip access-group ext_if_out out 
>  no ip redirects 
>  no ip unreachables 
>  no ip proxy-arp 
>  ip inspect ext in 
>  ip nat outside 
>  ip virtual-reassembly 
>  ip route-cache flow 
>  ip policy route-map l00p 
>  duplex auto 
>  speed auto 
> !
> interface FastEthernet0/1 
>  description LAN 
>  ip address 192.168.40.1 255.255.255.0 
>  ip nat inside 
>  ip virtual-reassembly 
>  ip route-cache flow 
>  duplex auto 
>  speed auto 
> !
> ip local pool IRP_vpn 192.168.100.1 192.168.100.10 
> ip route 0.0.0.0 0.0.0.0 195.178.213.81 
> ip flow-export version 5 
> !
> no ip http server 
> no ip http secure-server 
> ip nat pool internal2outside 195.178.213.84 195.178.213.84 netmask 255.255.255.248 
> ip nat inside source list 1 pool internal2outside overload 
> !
> ip access-list extended ext_if_in 
>  evaluate ip_out 
>  permit tcp any host 195.178.213.83 eq 22 
>  permit udp any host 195.178.213.83 eq isakmp 
>  permit udp host 204.34.198.40 eq ntp host 195.178.213.83 eq ntp 
>  deny   ip any any log 
> ip access-list extended ext_if_out 
>  permit ip 195.178.213.80 0.0.0.7 any reflect ip_out 
>  deny   ip any any log 
> !
> access-list 101 permit ip any 192.168.40.0 0.0.0.255 
> access-list 108 permit ip any any 
> route-map l00p permit 10 
>  match ip address 101 
>  set interface Loopback0 FastEthernet0/1 
> !
> !
> !
> control-plane 
> !
> privilege exec level 3 show ip accounting 
> privilege exec level 3 show ip 
> privilege exec level 3 show 
> privilege exec level 3 clear ip accounting 
> privilege exec level 3 clear ip 
> privilege exec level 3 clear 
> !
> line con 0 
> line aux 0 
> line vty 0 4 
>  access-class 31 in 
>  privilege level 15 
>  transport input ssh 
> line vty 5 15 
>  privilege level 15 
>  transport input telnet 
> !
> ntp clock-period 17178386 
> ntp server 204.34.198.40 
> end

> gw#sh ip cache flow 
> IP packet size distribution (24632 total packets): 
>    1-32   64   96  128 
>  160  192  224  256  288  
> 320  352  384  416  448  480 
 
>    .000 .488 .124 .215 .024 .017 .011 .004 .004 
> .005 .005 .002 .002 .004 .003

>     512  544  576 1024 1536 2048 
> 2560 3072 3584 4096 4608 
>    .001 .001 .002 .015 .065 .000 .000 .000 .000 
> .000 .000

> IP Flow Switching Cache, 278544 bytes 
>   7 active, 4089 inactive, 2198 added 
>   31664 ager polls, 0 flow alloc failures 
>   Active flows timeout in 30 minutes 
>   Inactive flows timeout in 15 seconds 
> IP Sub Flow Cache, 21640 bytes 
>   0 active, 1024 inactive, 0 added, 0 added to flow 
 
>   0 alloc failures, 0 force free 
>   1 chunk, 1 chunk added 
>   last clearing of statistics never 
> Protocol         Total   
>  Flows   Packets Bytes  Packets Active(Sec) Idle(Sec) 
> --------         Flows   
>   /Sec     /Flow  /Pkt  
>    /Sec     /Flow   
>   /Flow 
> TCP-Telnet          22  
>     0.0       
> 107    41      1.0 
>      28.1      
> 15.5 
> TCP-WWW            
> 970      0.4     
>     6   427    
>   2.6       1.6  
>      4.3 
> TCP-SMTP            
> 35      0.0     
>    10   232     
>  0.1       5.7   
>     6.7 
> TCP-other          445  
>     0.1       
>  27   115      5.2 
>      12.9      
> 13.0 
> UDP-DNS            
>  49      0.0    
>      3    66  
>     0.0       
> 4.9      15.5 
> UDP-NTP            
>  33      0.0    
>      1    76  
>     0.0       
> 0.4      15.6 
> UDP-other           76 
>      0.0      
>    2   218     
>  0.0       2.2   
>    15.5 
> Total:            
> 1630      0.6     
>    13   200     
>  9.2       5.3   
>     8.0

> SrcIf         SrcIPaddress   
>  DstIf         DstIPaddress 
>    Pr SrcP DstP  Pkts 
> Fa0/1         192.168.40.2   
>  Fa0/0         85.140.17.215 
>   06 0016 0940   939    
>  я удаленно зашел на сервер 
> Fa0/0         85.140.17.215   
> Null          192.168.40.2 
>    06 0940 0016  1864    
>  через статич.NAT трансляцию 
> Fa0/1         192.168.40.2   
>  Local         192.168.40.1 
>    06 0F83 0017     4 
>     я зателнетился на циску с сервера 
> Fa0/0         194.67.23.205   
> Local         195.178.213.84  
> 06 07F9 0985     1 
> Fa0/1         195.178.213.84  Fa0/0 
>         194.67.23.205   
> 06 0985 07F9     1 
> Fa0/1         195.178.213.84  Fa0/0 
>         64.12.162.70   
>  06 048E 1446     1 
> Fa0/0         64.12.162.70   
>  Local         195.178.213.84 
>  06 1446 048E     1

> Самое интересное, что статич.трансляции нормально экспортятся в нетфлоу, но 4 последних 
> - заНАТченные сессии пользователей отображаются не верно... (

> Где грабли?

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру