大千世界 » cisco

人生就像茶几，摆满了杯具

admin — Thu, 08 Oct 2009 10:19:36 +0000

人生就像茶几，摆满了杯具，偶尔洗洗就成了喜剧！

你还想看

NAT Order of Operation

admin — Thu, 08 Oct 2009 10:16:28 +0000

Introduction

This document illustrates that the order in which transactions are processed using Network Address Translation (NAT) is based on whether a packet is going from the inside network to the outside network, or from the outside network to the inside network.

Prerequisites

Requirements

Readers of this document should have knowledge of the following topic:

Network Address Translation (NAT). For more information on NAT, see How NAT Works.

Components Used

This document is not restricted to specific software and hardware versions.

Note: The information in this document is based on the Software Version, Cisco IOS® Software Release 12.2(27)

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

NAT Overview

In the table below, when NAT performs the global to local, or local to global, translation is different in each flow.

Inside-to-Outside	Outside-to-Inside
If IPSec then check input access list decryption – for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting policy routing routing redirect to web cache NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption Queueing	If IPSec then check input access list decryption – for CET or IPSec check input access list check input rate limits input accounting NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept encryption Queueing

Inside-to-Outside

Outside-to-Inside

If IPSec then check input access list
decryption – for CET (Cisco Encryption Technology) or IPSec
check input access list
check input rate limits
input accounting
policy routing
routing
redirect to web cache
NAT inside to outside (local to global translation)
crypto (check map and mark for encryption)
check output access list
inspect (Context-based Access Control (CBAC))
TCP intercept
encryption
Queueing

If IPSec then check input access list
decryption – for CET or IPSec
check input access list
check input rate limits
input accounting
NAT outside to inside (global to local translation)
policy routing
routing
redirect to web cache
crypto (check map and mark for encryption)
check output access list
inspect CBAC
TCP intercept
encryption
Queueing

NAT Configuration and Output

The following example demonstrates how the order of operations can effect NAT. In this case, only NAT and routing are shown.

In the above example, Router-A is configured to translate the inside local address 171.68.200.48 to 172.16.47.150, as shown in the configuration below.

!
version 11.2
no service udp-small-servers
no service tcp-small-servers
!
hostname Router-A
!
enable password ww
!
ip nat inside source static 171.68.200.48 172.16.47.150

              !--- This command creates a static NAT translation !--- between 171.68.200.48 and 172.16.47.150 
            
ip domain-name cisco.com
ip name-server 171.69.2.132
!
interface Ethernet0
 no ip address
 shutdown
!
interface Serial0
 ip address 172.16.47.161 255.255.255.240
 ip nat inside

              !--- Configures Serial0 as the NAT inside interface
            
 no ip mroute-cache
 no ip route-cache
 no fair-queue
!
interface Serial1
 ip address 172.16.47.146 255.255.255.240
 ip nat outside

              !--- Configures Serial1 as the NAT outside interface
            
 no ip mroute-cache
 no ip route-cache
!
no ip classless
ip route 0.0.0.0 0.0.0.0 172.16.47.145

              !--- Configures a default route to 172.16.47.145
            

ip route 171.68.200.0 255.255.255.0 172.16.47.162
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password ww
 login
!
end

The translation table indicates that the intended translation exists.

Router-A#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
--- 172.16.47.150      171.68.200.48      ---                ---

The following output is taken from Router-A with debug ip packet detail and debug ip nat enabled, and a ping issued from device 171.68.200.48 destined for 172.16.47.142.

Note: Debug commands generate a significant amount of output. Use them only when traffic on the IP network is low, so other activity on the system is not adversely affected. Before issuing debug commands, please see Important Information on Debug Commands.

IP: s=171.68.200.48 (Serial0), d=172.16.47.142, len 100, unroutable
    ICMP type=8, code=0
IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending
    ICMP type=3, code=1
IP: s=171.68.200.48 (Serial0), d=172.16.47.142, len 100, unroutable
    ICMP type=8, code=0
IP: s=171.68.200.48 (Serial0), d=172.16.47.142, len 100, unroutable
    ICMP type=8, code=0
IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending
    ICMP type=3, code=1
IP: s=171.68.200.48 (Serial0), d=172.16.47.142, len 100, unroutable
    ICMP type=8, code=0
IP: s=171.68.200.48 (Serial0), d=172.16.47.142, len 100, unroutable
    ICMP type=8, code=0
IP: s=172.16.47.161 (local), d=171.68.200.48 (Serial0), len 56, sending
    ICMP type=3, code=1

Since there are no NAT debug messages in the output above, you know that the existing static translation is not being used and that the router does not have a route for the destination address (172.16.47.142) in its routing table. The result of the non-routable packet is an ICMP Unreachable message, which is sent to the inside device.

However, Router-A has a default route of 172.16.47.145, so why is the route considered non-routable?

Router-A has no ip classless configured, which means if a packet destined for a “major” network address (in this case, 172.16.0.0) for which subnets exist in the routing table, the router does not rely on the default route. In other words, issuing the no ip classless command turns off the router’s ability to look for the route with the longest bit match. To change this behavior, you have to configure ip classless on Router-A. The ip classless command is enabled by default on Cisco routers with IOS Version 11.3 and above.

Router-A#configure terminal
Enter configuration commands, one per line.  End with CTRL/Z.
Router-A(config)#ip classless
Router-A(config)#end

Router-A#show ip nat translation
%SYS-5-CONFIG_I: Configured from console by console nat tr
Pro Inside global      Inside local       Outside local      Outside global
--- 172.16.47.150      171.68.200.48      ---                ---

Repeating the same ping test as before, we see that the packet gets translated and the ping is successful.

Ping Response on device 171.68.200.48

D:\>ping 172.16.47.142
Pinging 172.16.47.142 with 32 bytes of data:

Reply from 172.16.47.142: bytes=32 time=10ms TTL=255
Reply from 172.16.47.142: bytes=32 time<10ms TTL=255
Reply from 172.16.47.142: bytes=32 time<10ms TTL=255
Reply from 172.16.47.142: bytes=32 time<10ms TTL=255

Ping statistics for 172.16.47.142:
    Packets: Sent = 4, Received = 4, Lost = 0 (0%)
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum =  10ms, Average =  2ms

Debug messages on Router A indicating that the packets generated by device
171.68.200.48 are getting translated by NAT. 

Router-A#
*Mar 28 03:34:28: IP: tableid=0, s=171.68.200.48 (Serial0), d=172.16.47.142 (Serial1), routed via RIB
*Mar 28 03:34:28: NAT: s=171.68.200.48->172.16.47.150, d=172.16.47.142 [160]
*Mar 28 03:34:28: IP: s=172.16.47.150 (Serial0), d=172.16.47.142 (Serial1), g=172.16.47.145, len 100, forward
*Mar 28 03:34:28: ICMP type=8, code=0
*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150->171.68.200.48 [160]
*Mar 28 03:34:28: IP: tableid=0, s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0), routed via RIB
*Mar 28 03:34:28: IP: s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0), g=172.16.47.162, len 100, forward
*Mar 28 03:34:28: ICMP type=0, code=0
*Mar 28 03:34:28: NAT*: s=171.68.200.48->172.16.47.150, d=172.16.47.142 [161]
*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150->171.68.200.48 [161]
*Mar 28 03:34:28: IP: tableid=0, s=172.16.47.142 (Serial1), d=171.68.200.48
(Serial0), routed via RIB
*Mar 28 03:34:28: IP: s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0),
g=172.16.47.162, len 100, forward
*Mar 28 03:34:28: ICMP type=0, code=0
*Mar 28 03:34:28: NAT*: s=171.68.200.48->172.16.47.150, d=172.16.47.142 [162]
*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150->171.68.200.48 [162]
*Mar 28 03:34:28: IP: tableid=0, s=172.16.47.142 (Serial1), d=171.68.200.48
(Serial0), routed via RIB
*Mar 28 03:34:28: IP: s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0),
g=172.16.47.162, len 100, forward
*Mar 28 03:34:28: ICMP type=0, code=0
*Mar 28 03:34:28: NAT*: s=171.68.200.48->172.16.47.150, d=172.16.47.142 [163]
*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150->171.68.200.48 [163]
*Mar 28 03:34:28: IP: tableid=0, s=172.16.47.142 (Serial1), d=171.68.200.48
(Serial0), routed via RIB
*Mar 28 03:34:28: IP: s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0),
g=172.16.47.162, len 100, forward
*Mar 28 03:34:28: ICMP type=0, code=0
*Mar 28 03:34:28: NAT*: s=171.68.200.48->172.16.47.150, d=172.16.47.142 [164]
*Mar 28 03:34:28: NAT*: s=172.16.47.142, d=172.16.47.150->171.68.200.48 [164]
*Mar 28 03:34:28: IP: tableid=0, s=172.16.47.142 (Serial1), d=171.68.200.48
(Serial0), routed via RIB
*Mar 28 03:34:28: IP: s=172.16.47.142 (Serial1), d=171.68.200.48 (Serial0),
g=172.16.47.162, len 100, forward
*Mar 28 03:34:28: ICMP type=0, code=0

Router-A#undebug all
All possible debugging has been turned off

The above example shows that when a packet is traversing inside to outside, a NAT router checks its routing table for a route to the outside address before it continues to translate the packet. Therefore, it is important that the NAT router has a valid route for the outside network. The route to the destination network must be known through an interface that is defined as NAT outside in the router configuration.

It is important to note that the return packets are translated before they are routed. Therefore, the NAT router must also have a valid route for the Inside local address in its routing table.

你还想看

NAT/PAT中对于FTP的处理，以及PAT后的非标准21 FTP端口设置

admin — Sat, 19 Sep 2009 14:40:06 +0000

这里先要对FTP的两种模式说一下：

引用一张Cisco上面的图：

http://www.cisco.com/image/gif/paws/82018/pix-asa-enable-ftp-2.gif

FTP分为两种模式：主动Active 被动 Passive

主动模式下是使用21作为控制， 20作为数据口。

首先是客户端通过大于1023的端口发起到服务器21端口的控制连接，信息交换完成后。服务器从20端口发起连接到客户端提供的接收端口。

这是传统意义上的FTP行为。

被动模式是使用21作为控制，然后服务器自动选择一个大于1023的端口作为数据。

首先是客户端通过大于1023的端口发起到服务器21端口的控制连接，信息交换完成后。服务器告诉客户端一个大于1023的端口作为数据口，

然后客户端再以另外一个大于1023的端口发起连接到服务器提供的数据端口进行数据传输。

目前大多数服务器都支持这种模式，而且大部分客户端都默认采用被动模式和服务器进行传输。

好了，当我们在内网有两台服务器FTP SEVER1和FTP SERVER2都需要被外网访问的时侯，我们会分别为这两个服务器做映射出去。

假定FTP SERVE1(10.0.0.100)占用公网IP(x.x.x.x)的21端口，FTP SERVER2(10.0.0.200)占用公网IP(x.x.x.x)的2211端口。那么我们就会这么写：

ip nat inside source static tcp 10.0.0.100 21 x.x.x.x 21 extendable

ip nat inside source static tcp 10.0.0.200 21 x.x.x.x 2211 extendable

这样做了以后，我们会发现FTP SERVER1是正常的，而FTP SERVER2却不正常，表现为登录以后无法列出目录:

以下为FTP 客户端的LOG：

[xx:xx:03] PASV
[xx:xx:03] 227 Entering Passive Mode (10,0,0,200,6,32)
[xx:xx:24] Data Socket Error: Connection timed out
[xx:xx:24] List Complete: 0 bytes in 21.44 (1.00 KBps)

这是为什么呢？

答案就是在被动模式下，FTP SEVER告诉客户端的数据端口，无法被访问。为什么 FTP SERVER1又可以呢？

因为FTP SERVER1在对外映射的时侯采用了21端口，IOS会自动识别这个端口是FTP控制口，

从而去检查里面FTP数据控制数据发现服务器告诉客户端的这个用于传送数据的端口，然后自动的添加一条映射。

phanx# sh ip nat tr | in 10.0.0.100:
tcp x.x.x.x:21 10.0.0.100:21 y.y.y.y:1585 y.y.y.y:1585
tcp x.x.x.x:21 10.0.0.100:21 – -
tcp x.x.x.x:1812 10.0.0.20:1812 y.y.y.y:1594 y.y.y.y:1594

而FTP SERVER2映射的端口2211无法自动被识别成FTP端口，所以IOS不会自动的为它建立数据端口的映射。

解决的办法就是用 ip nat service 来指定这个端口。

access-list 10 permit 10.0.0.200

ip nat service 10 ftp tcp port 21

注意，这里的tcp port 21是指的 10.0.0.200的FTP端口21而不是 x.x.x.x的2211。如果FTP SERVER2用的FTP端口是其他的，那么就写对应的端口号。

这样做了以后，我们的FTP SERVER2就可以以 x.x.x.x:2211 的方式被公网访问了。

说道这里，问题已经解决了。但是，有人可能会提出来，既然FTP SERVER1用被动很正常，x.x.x.x:20端口并没有使用，

那为什么不用把FTP SERVER2主动模式来映射呢？比如这样做:

ip nat inside source static tcp 10.0.0.200 20 x.x.x.x 20 extendable

ip nat inside source static tcp 10.0.0.200 21 x.x.x.x 2211 extendable

OK. 这样做其实对于一部分情况是没有问题的。例如客户机的地址是公网地址，或者说能被FTP SERVER2所访问的地址。

但是如果客户机也是通过NAT/PAT上网的呢？假设客户端地址是192.168.1.111我们将看到这样的情况：

[00:14:10] PORT 192,168,1,111 ,6,179
[00:14:10] 200 PORT Command successful.
[00:14:10] REST 2028256
[00:14:10] 350 Restarting at 2028256. Send STORE or RETRIEVE.
[00:14:10] RETR fool.exe
[00:14:10] 150 Opening BINARY mode data connection for fool.exe (924668 Bytes).
[00:14:11] 425 Cannot open data connection.
[00:14:11] Transfer Failed!

因为是主动模式，是服务器主动送数据给客户机。那客户机通过控制信息就需要告诉服务器往哪里送，

但是FTP客户端并不知道自己的公网地址和端口，并且客户机也没有能力去自己的NAT/PAT网关上去开放一个端口让服务器来送数据。

所以它是以自己的实际地址去告诉服务器的。对于服务器而言，这个地址是无法被访问到的，所以这个办法也有行不通的地方。

当然，如果FTP客户端支持uPNP能识别到翻译后的公网地址，NAT/PAT网关也有uPNP的能力的话，主动模式的这个问题应该就能解决。

BTW：主动模式的FTP又被称为 “firewall UNfriendly”，什么原因？好好理解哦～

PIX/ASA上面的配置方法见：

PIX/ASA 7.x: Enable FTP/TFTP Services Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml