Опять не работает трансляция ((

регистрация напомнить пароль

вхожу с чужого компьютера

войти

/ первая страница / форум / Вернуться в раздел архива "Техническая поддержка: Cisco" /

Муравьев Ярослав

2005-10-20 15:04:19

Задача:
Нужно ходить на адрес 81.19.70.1 по 80 порту, используя внутренний IP 192.168.1.28.
Т.е. человек в сети набирает http://192.168.1.28 и попадает на сервер с приложенем.

Building configuration...

Current configuration : 2150 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c2811
!
boot-start-marker
boot-end-marker
!
enable secret blablabla
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
!
!
no ip cef
!
!
ip name-server 192.168.1.252
no ftp-server write-enable
!
!
!
interface FastEthernet0/0
ip address X.X.X.X 255.255.255.252
ip access-group 101 in
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.28 255.255.255.0 secondary
ip address 192.168.1.4 255.255.255.0
no ip proxy-arp
ip nat inside
duplex auto
speed auto
no cdp enable
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.Y
ip route 192.168.1.28 255.255.255.255 FastEthernet0/0
ip http server
ip nat inside source list 150 interface FastEthernet0/0 overload
ip nat outside source static tcp 81.19.70.1 80 192.168.1.28 80 extendable
!
!
access-list 101 permit tcp any host X.X.X.X established
access-list 101 permit icmp any any
access-list 101 permit udp any any
access-list 101 deny ip any any log-input
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 20000 0
password blablabla
login
!
scheduler allocate 20000 1000
!
end

Проблема:
Не работает трансляция вообще.
При наборе http://192.168.1.28 попадаю на цискин вебсервер (если no ip http server, но вообще не работает).
По дебагам трансляция не создается, хотя статическая есть:

c2811#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp --- --- 192.168.1.28:80 81.19.70.1:80

Муравьев Ярослав

2005-10-20 15:12:32

c2811#debug ip tcp packet
TCP Packet debugging is on

C:\telnet 192.168.1.28 80

c2811#
*Oct 20 11:09:01.319: tcp0: I LISTEN 192.168.1.60:3614 192.168.1.28:80 seq 555423397
OPTS 8 SYN WIN 64512
*Oct 20 11:09:01.319: TCP: sent RST to 192.168.1.60:3614 from 192.168.1.28:80
*Oct 20 11:09:01.735: tcp0: I LISTEN 192.168.1.60:3614 192.168.1.28:80 seq 555423397
OPTS 8 SYN WIN 64512
*Oct 20 11:09:01.735: TCP: sent RST to 192.168.1.60:3614 from 192.168.1.28:80
*Oct 20 11:09:02.235: tcp0: I LISTEN 192.168.1.60:3614 192.168.1.28:80 94 seq 555423397
OPTS 8 SYN WIN 64512
*Oct 20 11:09:02.235: TCP: sent RST to 192.168.1.60:3614 from 192.168.1.28:80
*Oct 20 11:09:02.463: tcp0: I LISTEN 192.168.1.6:2785 192.168.1.28:80 seq 1449722356
OPTS 8 SYN WIN 65535

Николай Дудник

2005-10-20 19:13:24

r2(config)#do sh run
Building configuration...

Current configuration : 3453 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
logging queue-limit 100
!
username cisco password 0 cisco
memory-size iomem 10
aaa new-model
!
!
aaa authentication login UCL local
aaa authorization network UCL local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 800
ip inspect tcp idle-time 1800
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUP
key cisco
domain cisco.com
pool POOL
!
!
crypto ipsec transform-set TS esp-des esp-md5-hmac
!
crypto dynamic-map DM 10
set transform-set TS
reverse-route
!
!
crypto map CM client authentication list UCL
crypto map CM isakmp authorization list UCL
crypto map CM client configuration address respond
crypto map CM 10 ipsec-isakmp dynamic DM
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 152.3.2.2 255.255.255.255
!
interface Ethernet0/0
ip address 150.100.2.2 255.255.255.0
ip access-group 100 in
ip nat outside
ip inspect FW out
half-duplex
crypto map CM
!
interface Serial0/0
ip address 151.3.3.2 255.255.255.0
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 cisco
clockrate 128000
frame-relay map ip 151.3.3.4 204 broadcast
frame-relay map ip 151.3.3.6 204 broadcast
no frame-relay inverse-arp
!
interface TokenRing0/0
no ip address
shutdown
ring-speed 16
!
router ospf 3
router-id 152.3.2.2
log-adjacency-changes
area 0 authentication message-digest
redistribute static subnets
passive-interface default
no passive-interface Serial0/0
network 150.100.2.0 0.0.0.255 area 0
network 151.3.3.0 0.0.0.255 area 0
network 152.3.2.2 0.0.0.0 area 0
!
router bgp 3
no synchronization
bgp router-id 152.3.2.2
bgp log-neighbor-changes
aggregate-address 199.68.0.0 255.255.224.0 suppress-map sup
neighbor 150.100.2.254 remote-as 254
neighbor 152.3.4.4 remote-as 3
neighbor 152.3.4.4 update-source Loopback0
no auto-summary
!
ip local pool POOL 200.2.2.1 200.2.2.100
ip nat inside source list 101 interface Ethernet0/0 overload
ip nat outside source static tcp 150.100.2.254 80 151.3.3.254 80 extendable
no ip http server
no ip http secure-server
ip classless
ip route 151.3.3.254 255.255.255.255 150.100.2.254
!
!
!
access-list 1 deny 199.68.5.0 0.0.0.255
access-list 1 permit any
access-list 100 permit tcp host 150.100.2.254 host 150.100.2.2 eq bgp
access-list 100 permit tcp host 150.100.2.254 eq bgp host 150.100.2.2
access-list 100 permit udp any host 150.100.2.2 eq isakmp
access-list 100 permit esp any host 150.100.2.2
access-list 100 permit ip 200.2.2.0 0.0.0.255 any
access-list 100 deny ip host 150.100.1.241 any
access-list 100 deny ip any any log
access-list 101 deny ip any 200.2.2.0 0.0.0.255
access-list 101 permit ip 151.3.0.0 0.0.255.255 any
access-list 101 permit ip 10.3.0.0 0.0.255.255 any
access-list 101 permit ip 152.3.0.0 0.0.255.255 any
!
route-map sup permit 10
match ip address 1
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

r4(config)#do teln 151.3.3.254 80
Trying 151.3.3.254, 80 ... Open
quit
HTTP/1.0 501 Not Implemented
Date: Fri, 26 Mar 1993 04:46:18 UTC
Content-type: text/html
Expires: Thu, 16 Feb 1989 00:00:00 GMT

<H1>501 Not Implemented</H1>

[Connection to 151.3.3.254 closed by foreign host]

bb1-2#sh tcp br
TCB Local Address Foreign Address (state)
0195A918 150.100.2.254.80 150.100.2.2.63887 ESTAB
017D7314 150.100.2.254.13410 150.100.2.2.179 ESTAB
01951634 150.100.2.254.179 150.100.2.2.11002 FINWAIT2

r2(config)#do sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp --- --- 151.3.3.254:80 150.100.2.254:80
tcp 150.100.2.2:44069 151.3.3.4:44069 151.3.3.254:80 150.100.2.254:80

Sergey Moroz

2005-10-20 19:37:30

В исходном конфиге стоит:

interface FastEthernet0/1
ip address 192.168.1.28 255.255.255.0 secondary
ip address 192.168.1.4 255.255.255.0
ip nat inside

а для создания статической трансляции НИКОГДА не нужно делать secondary. Из-за него обращение на 192.168.1.28 и попадает на веб-сервер маршрутизатора... Было бы странно если бы оно еще куда-нибудь попало :-)

Муравьев Ярослав

2005-10-20 20:52:40

<i>to Sergey Moroz:</i>
В лабе при установленном секондари-адресе все работает.
В исходном конфиге, если убрать секондари и включить прокси-арп - не работает.

Алексеев Алексей

2005-10-20 22:57:08

<i>to Муравьев Ярослав:</i>
если всё работает, то зачем весь этот топик?

Муравьев Ярослав

2005-10-21 12:16:19

В лабе циска является единственным прокси-арп сервером.
В продакшне возможно существование нескольких прокси-арп серверов.

В этом может быть причина?

Николай Дудник

2005-10-21 12:54:57

no ip route 192.168.1.28 255.255.255.255 FastEthernet0/0
ip route 192.168.1.28 255.255.255.255 X.X.X.Y
interface FastEthernet0/1
no ip address 192.168.1.28 255.255.255.0 secondary
do clear arp


	Создание и поддержка: © 1999- САМАН (495) 915-3358, 915-3580, 585-6927, 585-6799



Центр Обучения и Тестирования "САМАН" Центр технической поддержки "Supporting.Ru" Кафедра "Интернет технологии" МАТИ