
Одна циска, два PPPOE подключения к разным провайдерам.
Хочется странного: когда приходит TCP пакет снаружи на наш WAN
(IP:YY.YY.YY.5 PORT:5002) заменять в нем адрес отправителя на YY.YY.YY.5 и отправлять его наружу на адрес IP:FF.FF.FF.88, PORT:5001
Есть какие-нибудь варианты?
Код: Выделить всё
#sh ver
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)
Technical Support: [url="http://www.cisco.com/techsupport"]http://www.cisco.com/techsupport[/url]
Copyright © 1986-2010 by Cisco Systems, Inc.
Compiled Sun 18-Jul-10 06:43 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)
router uptime is 1 week, 4 days, 17 hours, 6 minutes
System returned to ROM by reload at 08:00:45 UTC Wed Sep 29 2010
System image file is "flash0:c3900-universalk9-mz.SPA.150-1.M3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 983040K/65536K bytes of memory.
Processor board ID FCZ141070V0
4 FastEthernet interfaces
3 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 72 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
Configuration register is 0x2102
Код: Выделить всё
!
! Last configuration change at 04:18:08 UTC Tue Oct 26 2010 by valery
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4185159336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4185159336
revocation-check none
rsakeypair TP-self-signed-4185159336
!
!
crypto pki certificate chain TP-self-signed-4185159336
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXX
quit
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
clns routing
!
!
license udi pid C3900-SPE150/K9 sn FOC14053VPM
license boot module c3900 technology-package datak9 disable
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
username valery privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.1.254 255.255.255.0
ip nat enable
ip policy route-map REDIRECTOR
duplex auto
speed auto
no cdp enable
!
!
interface FastEthernet0/0/0
no ip address
duplex auto
speed auto
no cdp enable
!
!
interface FastEthernet0/0/0.1
encapsulation dot1Q 43
pppoe enable group 1
pppoe-client dial-pool-number 1
no keepalive
no cdp enable
!
interface FastEthernet0/0/1
no ip address
duplex auto
speed auto
pppoe enable group 2
pppoe-client dial-pool-number 2
no keepalive
no cdp enable
!
!
interface Dialer1
description WAN1-APLUS
ip address negotiated
ip mtu 1492
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp eap refuse
ppp chap hostname XXXXXXXXX
ppp chap password 0 XXXXXXXXXXXXXX
ppp chap refuse
ppp ms-chap refuse
ppp ms-chap-v2 refuse
ppp pap sent-username XXXXXXXX password 0 XXXXXXX
no cdp enable
!
!
interface Dialer2
description WAN2-STK
ip address negotiated
ip mtu 1492
ip nat enable
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password 0 XXXXXXXXXX
no cdp enable
!
!
ip local policy route-map REDIRECTOR
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool SRV1_PAT 192.168.1.254 192.168.1.254 prefix-length 24
ip nat source list ISP1-FORWARD pool SRV1_PAT overload
ip nat source list ISP1-IPERF interface Dialer1 overload
ip nat source list ISP2-FORWARD pool SRV1_PAT overload
ip nat source list ISP2-IPERF interface Dialer2 overload
ip nat source route-map W1-NAT interface Dialer1 overload
ip nat source route-map W2-NAT interface Dialer2 overload
ip nat source static tcp 192.168.1.40 5001 YY.YY.YY.5 5001 extendable
ip nat source static tcp XX.XX.XX.88 5001 YY.YY.YY.5 5002 extendable
ip nat source static tcp 192.168.1.40 5001 ZZ.ZZ.ZZ.244 5001 extendable
ip nat source static tcp XX.XX.XX.88 5001 ZZ.ZZ.ZZ.244 5002 extendable
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.50.0 255.255.255.0 192.168.1.240
!
ip access-list extended ISP1-FORWARD
permit tcp any host YY.YY.YY.5 eq 5001
ip access-list extended ISP1-IPERF
permit tcp any host YY.YY.YY.5 eq 5002
ip access-list extended ISP2-FORWARD
permit tcp any host ZZ.ZZ.ZZ.244 eq 5001
ip access-list extended ISP2-IPERF
permit tcp any host ZZ.ZZ.ZZ.244 eq 5002
ip access-list extended NAT-ALLOW
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VAJ
permit tcp host 192.168.1.40 any eq www
ip access-list extended WAN1IP
permit ip host YY.YY.YY.5 any
ip access-list extended WAN2IP
permit ip host ZZ.ZZ.ZZ.244 any
!
!
!
!
!
route-map REDIRECTOR permit 10
match ip address VAJ
set interface Dialer1
!
route-map REDIRECTOR permit 20
match ip address WAN1IP
set interface Dialer1
!
route-map REDIRECTOR permit 30
match ip address WAN2IP
set interface Dialer2
!
route-map W1-NAT permit 20
match ip address NAT-ALLOW
match interface Dialer1
!
route-map W2-NAT permit 10
match ip address NAT-ALLOW
match interface Dialer2
!
route-map ALL-ISP permit 10
match ip address WAN1IP
set ip next-hop 10.10.10.1
!
route-map ALL-ISP permit 20
match ip address WAN2IP
set ip next-hop 213.228.116.163
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 858
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Код: Выделить всё
#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.1.254 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
FastEthernet0/0/0 unassigned YES NVRAM up up
FastEthernet0/0/0.1 unassigned YES unset up up
FastEthernet0/0/1 unassigned YES NVRAM up up
FastEthernet0/1/0 unassigned YES NVRAM administratively down down
FastEthernet0/1/1 unassigned YES NVRAM administratively down down
Dialer1 YY.YY.YY.5 YES IPCP up up
Dialer2 ZZ.ZZ.ZZ.244 YES IPCP up up
NVI0 192.168.1.254 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
Показывает что с NAT-ом все вроде нормально:
Код: Выделить всё
*Oct 28 03:09:36.099: NAT: TCP s=38692, d=5002->5001
*Oct 28 03:09:36.099: NAT: s=XX.XX.XX.88->YY.YY.YY.5, d=YY.YY.YY.5 [4591]
*Oct 28 03:09:36.099: NAT: s=YY.YY.YY.5, d=YY.YY.YY.5->XX.XX.XX.88 [4591]
Код: Выделить всё
#sh ip nat nvi tr
Pro Source global Source local Destin local Destin global
tcp YY.YY.YY.5:5002 XX.XX.XX.88:5001 --- ---
tcp YY.YY.YY.5:51856 XX.XX.XX.88:51856 YY.YY.YY.5:5002 XX.XX.XX.88:5001
tcp YY.YY.YY.5:5001 192.168.1.40:5001 --- ---
Подскажите что поправить в конфиге?