forum.opennet.ru

Составление сообщения

Исходное сообщение

"Netflow egress  + NAT"
Отправлено alexisks, 10-Янв-07 13:03

Вот полный конфиг:
cisco1760#show running-config
Building configuration...
Current configuration : 6085 bytes
!
! Last configuration change at 10:02:03 EET Wed Jan 10 2007 by adms
! NVRAM config last updated at 12:16:06 EET Tue Jan 9 2007 by alexis
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname cisco1760
!
boot-start-marker
boot system flash flash:c1700-ipbasek9-mz.124-10a.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8000 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
!
aaa session-id common
clock timezone EET 2
no ip source-route
ip cef
ip cef accounting per-prefix
!
!
ip tcp synwait-time 10
!
!
ip flow-egress input-interface
no ip bootp server
ip domain name XXXXXXXXXXXX.kiev.ua
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-180360467
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-180360467
revocation-check none
rsakeypair TP-self-signed-180360467
!
!
crypto pki certificate chain TP-self-signed-180360467
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXX
quit
username adms password 7 XXXXXXXXXXXXXXXXXXXXXXX
username alexis privilege 15 view root secret 5 XXXXXXXXXXXXXXXXXXX
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 10.1.0.2 255.0.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip route-cache flow
speed auto
no cdp enable
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 80.XX.XXX.126 255.255.255.252
ip access-group InternetIn in
ip access-group InternetOut out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation frame-relay IETF
ip route-cache flow
load-interval 30
frame-relay interface-dlci 440
!
interface Serial0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 80.XX.XXX.125
ip flow-export version 5
ip flow-export destination 10.0.0.3 9996
ip flow-top-talkers
top 15
sort-by bytes
!
ip http server
ip http access-class 1
no ip http secure-server
ip nat inside source list NAT interface Serial0/0 overload
ip nat inside source static 10.0.0.5 80.XX.XXX.178
ip nat inside source static 10.0.0.6 80.XX.XXX.179
ip nat inside source static 10.0.0.3 80.XX.XXX.180
ip nat inside source static 10.0.0.77 80.XX.XXX.181
ip nat inside source static 10.0.0.50 80.XX.XXX.182
!
ip access-list extended InternetIn
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit icmp any any echo-reply
permit icmp any any echo
permit tcp any host 80.XX.XXX.178 eq smtp
permit tcp host 212.XX.XXX.147 host 80.XX.XXX.179 eq 1352
permit tcp host 193.XX.XXX.194 host 80.XX.XXX.179 eq 1352
permit tcp host 212.XX.XXX.134 host 80.XX.XXX.179 eq 1352
evaluate InternetTraffic
deny ip any any log
ip access-list extended InternetOut
permit tcp any any reflect InternetTraffic
permit udp any any reflect InternetTraffic
permit icmp any any reflect InternetTraffic
ip access-list extended NAT
permit ip host 10.0.0.50 any
permit ip host 10.0.0.77 any
permit ip host 10.0.0.222 any
permit ip host 10.0.0.5 any
permit ip host 10.0.0.3 any
permit ip host 10.0.0.55 any
permit ip host 10.0.0.4 any
permit ip host 10.0.0.107 any
permit ip host 10.0.0.100 any
permit ip host 10.0.30.7 any
permit ip host 10.0.4.81 any
permit ip host 10.0.3.12 any
!
access-list 1 permit 10.0.0.50
access-list 1 permit 10.0.0.77
access-list 1 permit 10.0.0.222
access-list 100 deny tcp any any eq 881 log
access-list 100 deny tcp any eq 881 any log
access-list 100 deny udp any any eq 881 log
access-list 100 deny udp any eq 881 any log
access-list 100 permit ip any any
snmp-server community public RO
snmp-server host 10.1.0.222 public
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 1 in
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17208089
ntp server 10.0.0.2 source FastEthernet0/0 prefer
ntp server 10.0.0.4 source FastEthernet0/0
ntp server 10.0.0.5 source FastEthernet0/0
end

А вот часть вывода show ip cache flow
....
Fa0/0         80.XX.XXX.178   Se0/0         213.180.199.22  06 8D23 0050     8
Fa0/0         80.XX.XXX.126   Null          87.19.39.49     06 8EA9 1236     1
Fa0/0         80.XX.XXX.126   Se0/0         87.19.39.49     06 8EA9 1236     9
Fa0/0         80.XX.XXX.126   Se0/0         195.131.153.36  06 AB6B 1236     1
Fa0/0         80.XX.XXX.126   Se0/0         88.118.205.14   06 941E 1236  3456
Fa0/0         80.XX.XXX.126   Se0/0         212.7.28.195    06 DC30 26AA     8
Fa0/0         80.XX.XXX.126   Null          212.7.28.195    06 DC30 26AA     1
Fa0/0         80.XX.XXX.126   Se0/0         85.85.2.181     06 8304 1236     8

Т.е. вместо 10.0.*.*** имеем в статистике один ИР 80.XX.XXX.126, за исключением тех которые статически в NATе (ip nat inside source static 10.0.0.5 80.XX.XXX.178), они видятся отдельно:
Fa0/0         80.XX.XXX.178   Se0/0         217.20.163.247  06 8D55 0050     7
Fa0/0         80.XX.XXX.178   Se0/0         205.188.1.120   06 ECAB 01BB     1
В итоге почтитать трафик по пользователям - нереально :(
И что с этим делать пока найти не смог....

Исходное сообщение
"Netflow egress + NAT" Отправлено alexisks, 10-Янв-07 13:03
Вот полный конфиг: cisco1760#show running-config Building configuration... Current configuration : 6085 bytes ! ! Last configuration change at 10:02:03 EET Wed Jan 10 2007 by adms ! NVRAM config last updated at 12:16:06 EET Tue Jan 9 2007 by alexis ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service sequence-numbers ! hostname cisco1760 ! boot-start-marker boot system flash flash:c1700-ipbasek9-mz.124-10a.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 8000 debugging enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! aaa new-model ! ! ! aaa session-id common clock timezone EET 2 no ip source-route ip cef ip cef accounting per-prefix ! ! ip tcp synwait-time 10 ! ! ip flow-egress input-interface no ip bootp server ip domain name XXXXXXXXXXXX.kiev.ua ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-180360467 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-180360467 revocation-check none rsakeypair TP-self-signed-180360467 ! ! crypto pki certificate chain TP-self-signed-180360467 certificate self-signed 01 XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX quit username adms password 7 XXXXXXXXXXXXXXXXXXXXXXX username alexis privilege 15 view root secret 5 XXXXXXXXXXXXXXXXXXX ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-LAN$$FW_INSIDE$ ip address 10.1.0.2 255.0.0.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip route-cache flow speed auto no cdp enable ! interface Serial0/0 description $FW_OUTSIDE$ ip address 80.XX.XXX.126 255.255.255.252 ip access-group InternetIn in ip access-group InternetOut out no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation frame-relay IETF ip route-cache flow load-interval 30 frame-relay interface-dlci 440 ! interface Serial0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no cdp enable ! ip route 0.0.0.0 0.0.0.0 80.XX.XXX.125 ip flow-export version 5 ip flow-export destination 10.0.0.3 9996 ip flow-top-talkers top 15 sort-by bytes ! ip http server ip http access-class 1 no ip http secure-server ip nat inside source list NAT interface Serial0/0 overload ip nat inside source static 10.0.0.5 80.XX.XXX.178 ip nat inside source static 10.0.0.6 80.XX.XXX.179 ip nat inside source static 10.0.0.3 80.XX.XXX.180 ip nat inside source static 10.0.0.77 80.XX.XXX.181 ip nat inside source static 10.0.0.50 80.XX.XXX.182 ! ip access-list extended InternetIn permit udp any any eq domain permit tcp any any eq domain permit tcp any any eq www permit tcp any any eq ftp permit tcp any any eq ftp-data permit icmp any any echo-reply permit icmp any any echo permit tcp any host 80.XX.XXX.178 eq smtp permit tcp host 212.XX.XXX.147 host 80.XX.XXX.179 eq 1352 permit tcp host 193.XX.XXX.194 host 80.XX.XXX.179 eq 1352 permit tcp host 212.XX.XXX.134 host 80.XX.XXX.179 eq 1352 evaluate InternetTraffic deny ip any any log ip access-list extended InternetOut permit tcp any any reflect InternetTraffic permit udp any any reflect InternetTraffic permit icmp any any reflect InternetTraffic ip access-list extended NAT permit ip host 10.0.0.50 any permit ip host 10.0.0.77 any permit ip host 10.0.0.222 any permit ip host 10.0.0.5 any permit ip host 10.0.0.3 any permit ip host 10.0.0.55 any permit ip host 10.0.0.4 any permit ip host 10.0.0.107 any permit ip host 10.0.0.100 any permit ip host 10.0.30.7 any permit ip host 10.0.4.81 any permit ip host 10.0.3.12 any ! access-list 1 permit 10.0.0.50 access-list 1 permit 10.0.0.77 access-list 1 permit 10.0.0.222 access-list 100 deny tcp any any eq 881 log access-list 100 deny tcp any eq 881 any log access-list 100 deny udp any any eq 881 log access-list 100 deny udp any eq 881 any log access-list 100 permit ip any any snmp-server community public RO snmp-server host 10.1.0.222 public no cdp run ! control-plane ! banner login ^CAuthorized access only!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 1 in transport input ssh ! scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17208089 ntp server 10.0.0.2 source FastEthernet0/0 prefer ntp server 10.0.0.4 source FastEthernet0/0 ntp server 10.0.0.5 source FastEthernet0/0 end А вот часть вывода show ip cache flow .... Fa0/0 80.XX.XXX.178 Se0/0 213.180.199.22 06 8D23 0050 8 Fa0/0 80.XX.XXX.126 Null 87.19.39.49 06 8EA9 1236 1 Fa0/0 80.XX.XXX.126 Se0/0 87.19.39.49 06 8EA9 1236 9 Fa0/0 80.XX.XXX.126 Se0/0 195.131.153.36 06 AB6B 1236 1 Fa0/0 80.XX.XXX.126 Se0/0 88.118.205.14 06 941E 1236 3456 Fa0/0 80.XX.XXX.126 Se0/0 212.7.28.195 06 DC30 26AA 8 Fa0/0 80.XX.XXX.126 Null 212.7.28.195 06 DC30 26AA 1 Fa0/0 80.XX.XXX.126 Se0/0 85.85.2.181 06 8304 1236 8 Т.е. вместо 10.0..** имеем в статистике один ИР 80.XX.XXX.126, за исключением тех которые статически в NATе (ip nat inside source static 10.0.0.5 80.XX.XXX.178), они видятся отдельно: Fa0/0 80.XX.XXX.178 Se0/0 217.20.163.247 06 8D55 0050 7 Fa0/0 80.XX.XXX.178 Se0/0 205.188.1.120 06 ECAB 01BB 1 В итоге почтитать трафик по пользователям - нереально :( И что с этим делать пока найти не смог....

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру