我在客户网络中遇到了非常奇怪的问题。
客户可以通过 NAPT 访问互联网——我为此使用了几个公共 IP 地址。(出于obv原因,我将更改IP地址)
ip nat pool NAT 3.3.3.175 3.3.3.190 netmask 255.255.255.192
ip nat inside source list NAT pool NAT vrf NAT overload
其他 NAT 设置
ip nat settings pap
ip nat log translations flow-export v9 udp destination 192.168.55.10 9995
ip nat log translations flow-export v9 vrf NAT on
ip nat translation timeout 3600
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 120
ip route vrf NAT 0.0.0.0 0.0.0.0 3.3.3.1
接口
interface GigabitEthernet0/0/0.220
description IP NAT OUTSIDE
encapsulation dot1Q 220
ip vrf forwarding NAT
ip address 3.3.3.5 255.255.255.192
ip nat outside
!
interface GigabitEthernet0/0/2.202
description IP NAT INSIDE
encapsulation dot1Q 202
ip vrf forwarding NAT
ip flow monitor FLOW-MONITOR input
ip flow monitor v3.12 input
ip flow monitor FLOW-MONITOR output
ip flow monitor v3.12 output
ip address 10.128.1.2 255.255.255.248
ip nat inside
访问列表 NAT 有大约 477 个条目
我在访问某些网站时遇到问题:
- google.com 总是给我 500 错误
- 无法访问其他几个站点 - 只是无限加载和白屏
然而,所有这一切都发生了,当我来自上述池的全局 IP 为 .179 或 .180 时
我尝试将我的全局 ip 与静态 nat 更改为 .189(池结束),并且所有上述问题都消失了:谷歌的 500 问题没有,并且没有成功加载加载的站点。
我真的迷失在试图找到问题的根源。当我处理谷歌问题时,我正在考虑僵尸网络/病毒活动,或者可能由于丢失/重新传输数据包而导致糟糕的 TLS 握手,但那时我会在许多资源上遇到这些问题。
我什至不知道这是否是一个NAT问题。我想找出答案的唯一方法(现在如果我想到的话)是重新组装 NAT 池(使其更小,排除“坏 IP”)并尝试将其静态分配给主机并找出答案。它会告诉我们(可能问题确实出在来自一个 IP 的许多或错误的请求中)。
也许许多请求是从一个全局 IP 处理的,但为了处理它,我尝试了 ip nat settings pap
当前翻译:
asr1.core#sh ip nat translations total
Total number of translations: 60199
路由器是ASR1000X
asr1.core#sh ver
Cisco IOS XE Software, Version 16.05.01b
cisco ASR1001-X (1NG) processor (revision 1NG) with 3763831K/6147K bytes of memory.
6 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
6594559K bytes of eUSB flash at bootflash:.
我在寻求解决此类问题的方法的建议,也许还有一些关于 NAT/PAT 问题的实际经验?
编辑 =============================================
asr1.core#sh ip route 3.3.3.179
Routing entry for 3.3.3.128/26
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 3.3.3.5
Route metric is 0, traffic share count is 1
asr1.core#sh ip route 3.3.3.189
Routing entry for 3.3.3.128/26
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 3.3.3.5
Route metric is 0, traffic share count is 1
所以路由到两者都只是指向 nat 外部接口。
在 NAT 路由表中,全局 IP 没有任何内容,但这是可以理解的,因为路由发生在指定为私有 IP 之后
asr1.core#sh ip route vrf NAT 3.3.3.189
Routing Table: NAT
% Subnet not in table
asr1.core#sh ip route vrf NAT 3.3.3.179
Routing Table: NAT
% Subnet not in table
默认路由:
全局路由表(通向nat内部接口)
Gateway of last resort is 10.128.1.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.128.1.2
1.0.0.0/8 is variably subnetted, 2895 subnets, 14 masks
B 1.0.0.0/24 [20/0] via BGP1, 2d10h
B 1.0.4.0/22 [20/0] via BGP1, 2d10h
B 1.0.4.0/24 [20/0] via BGP1, 2d10h
B 1.0.5.0/24 [20/0] via BGP1, 2d10h
B 1.0.6.0/24 [20/0] via BGP1, 2d10h
B 1.0.7.0/24 [20/0] via BGP1, 2d10h
B 1.0.16.0/24 [20/0] via BGP2, 2d10h
B 1.0.64.0/18 [20/0] via BGP2, 2d10h
.....etc
vrf NAT 路由表
Routing Table: NAT
Gateway of last resort is 3.3.3.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 3.3.3.1
10.0.0.0/8 is variably subnetted, 889 subnets, 10 masks
S 10.0.0.0/8 [1/0] via 10.128.1.3
.....etc