网络工程 - 网络转换和端口转发导致主机超时 - 吾爱随笔录

我正在尝试建立一个小型网络，由 3 个路由器和交换机以及一个 L3 交换机组成：

我在路由器 R1 和 R2 上都激活了 PAT，将私有 IP 地址转换为公共 IP 地址，

当从主机 Bizerte 或服务器 ping 所有公共地址时，一切正常。

我在路由器 R3 上设置了端口转发，将端口 80 上的所有传入数据包转发到服务器。

当我从 R1 远程登录到41.224.0.3:80它时工作正常，并且翻译成功，但是当我尝试使用 Bizerte 主机使用相同的命令时，翻译失败，并且检查服务器，我什至无法在路由器 R3 上 ping （172.16.5.65）。检查服务器意味着从服务器连接到 R3 路由器，反之亦然。

为了恢复连接，我必须到shutdown接口e0（直接连接到服务器的 R3 路由器上的 e0。），然后no shutdown再一次。

以下是路由器配置：

R1：

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
ip tcp synwait-time 5
no ip dhcp use vrf connected
!
ip dhcp pool bizerte
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1 
!
!
no ip domain lookup
!
!
!
!
!
! 
!
!
!
interface Ethernet0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface FastEthernet0
 ip address 41.224.0.1 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 speed auto
!
ip route 0.0.0.0 0.0.0.0 41.224.0.6
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 172.16.1.0 0.0.0.255
no cdp log mismatch duplex
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

R3：

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
ip tcp synwait-time 5
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.65 172.16.5.66
!
ip dhcp pool ariana
   network 172.16.5.64 255.255.255.192
   default-router 172.16.5.65 
!
!
no ip domain lookup
!
!
!
!
!
! 
!
!
!
interface Ethernet0
 ip address 172.16.5.65 255.255.255.192
 ip nat inside
 ip virtual-reassembly
 half-duplex
!
interface FastEthernet0
 ip address 41.224.0.3 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 speed auto
!
ip route 0.0.0.0 0.0.0.0 41.224.0.6
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 172.16.5.66 80 interface FastEthernet0 80
!
access-list 1 permit 172.16.5.64 0.0.0.63
no cdp log mismatch duplex
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

编辑：

从 NAT 调试输出和 Wireshark 捕获来看，路由器 R3 似乎实际上向路由器 R1 发送了响应，但路由器 R1 并未将响应路由/转发回主机（此处为 Bizerte）。

NAT 调试输出：

路由器 R1：

*Mar 1 00:20:24.607: NAT: [0] Allocated Port for 172.16.1.3 -> 41.224.0.1: wanted 1043 got 1043
*Mar 1 00:20:24.607: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [176]
*Mar 1 00:20:24.611: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [176]
*Mar 1 00:20:24.611: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [176]
*Mar 1 00:20:24.635: NAT*: o: tcp (41.224.0.3, 80) -> (41.224.0.1, 1043) [1098]
*Mar 1 00:20:24.639: NAT*: s=41.224.0.3, d=41.224.0.1->172.16.1.3 [1098]
*Mar 1 00:20:24.639: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [177]
*Mar 1 00:20:24.639: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [177] R1#
*Mar 1 00:20:44.811: NAT*: o: tcp (41.224.0.3, 80) -> (41.224.0.1, 1043) [1107]
*Mar 1 00:20:44.815: NAT*: s=41.224.0.3, d=41.224.0.1->172.16.1.3 [1107]
*Mar 1 00:20:44.847: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [178]
*Mar 1 00:20:44.847: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [178]
*Mar 1 00:20:44.851: NAT: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [179]
*Mar 1 00:20:44.851: NAT: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [179] R1#
*Mar 1 00:20:47.967: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [180]
*Mar 1 00:20:47.967: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [180] R1#
*Mar 1 00:20:53.747: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [181]
*Mar 1 00:20:53.747: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [181] R1#
*Mar 1 00:21:05.107: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [182]
*Mar 1 00:21:05.111: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [182] R1#
*Mar 1 00:21:27.723: NAT*: i: tcp (172.16.1.3, 1043) -> (41.224.0.3, 80) [183]
*Mar 1 00:21:27.723: NAT*: s=172.16.1.3->41.224.0.1, d=41.224.0.3 [183]

路由器 R3：

*Mar 1 00:20:55.247: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [176]
*Mar 1 00:20:55.251: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [176]
*Mar 1 00:20:55.251: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [176]
*Mar 1 00:20:55.279: NAT*: i: tcp (172.16.5.66, 80) -> (41.224.0.1, 1043) [1098]
*Mar 1 00:20:55.283: NAT*: s=172.16.5.66->41.224.0.3, d=41.224.0.1 [1098]
*Mar 1 00:20:55.287: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [177]
*Mar 1 00:20:55.287: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [177] R3#
*Mar 1 00:21:15.291: NAT*: i: tcp (172.16.5.66, 80) -> (41.224.0.1, 1043) [1107]
*Mar 1 00:21:15.291: NAT*: s=172.16.5.66->41.224.0.3, d=41.224.0.1 [1107]
*Mar 1 00:21:15.351: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [178]
*Mar 1 00:21:15.355: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [178]
*Mar 1 00:21:15.355: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [179]
*Mar 1 00:21:15.355: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [179] R3#
*Mar 1 00:21:18.523: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [180]
*Mar 1 00:21:18.527: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [180] R3#
*Mar 1 00:21:24.291: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [181]
*Mar 1 00:21:24.291: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [181] R3#
*Mar 1 00:21:35.651: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [182]
*Mar 1 00:21:35.651: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [182] R3#
*Mar 1 00:21:58.123: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [183]
*Mar 1 00:21:58.123: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [183] R3#
*Mar 1 00:22:42.831: NAT*: o: tcp (41.224.0.1, 1043) -> (41.224.0.3, 80) [185]
*Mar 1 00:22:42.831: NAT*: s=41.224.0.1, d=41.224.0.3->172.16.5.66 [185]