Escolar Documentos
Profissional Documentos
Cultura Documentos
Materials
Book:
Troubleshooting and Maintaining
Cisco IP Networks (TSHOOT)
Foundation Learning Guide:
Foundation learning for the CCNP
TSHOOT 642-832
By Amir Ranjbar
Book
ISBN-10: 1-58705-876-6
ISBN-13: 978-1-58705-876-9
eBook
ISBN-10: 1-58714-170-1
ISBN-13: 978-1-58714-170-6
NAT/PAT Operation
NAT Example
1
DA
128.23.2.2
DA
SA
10.0.0.3
IP Header
....
128.23.2.2
Data
SA
179.9.8.80
....
Data
IP Header
NAT Example
4
DA
SA
10.0.0.3
128.23.2.2
IP Header
DA
....
Data
179.9.8.80
SA
128.23.2.2
....
Data
IP Header
PAT Example
1
DA
128.23.2.2
SA
10.0.0.3
IP Header
SA
10.0.0.2
IP Header
DP
80
SP
1331
DA
Data
TCP/UDP
Header
DP
80
1555
TCP/UDP
Header
128.23.2.2 179.9.8.80
SP
DA
Data
SA
IP Header
SA
128.23.2.2 179.9.8.80
IP Header
DP
80
SP
3333
Data
TCP/UDP
Header
DP
80
SP
2222
TCP/UDP
Header
Data
PAT Example
SA
128.23.2.2
IP Header
4
DA
SA
10.0.0.2
128.23.2.2
IP Header
DP
SP
1331
80
DA
Data
TCP/UDP
Header
DP
1555
80
TCP/UDP
Header
179.9.8.80 128.23.2.2
SP
DA
Data
SA
179.9.8.80
IP Header
SA
128.23.2.2
IP Header
DP
3333
SP
80
Data
TCP/UDP
Header
DP
2222
SP
80
TCP/UDP
Header
Data
Static NAT:
Local and global addresses are mapped one to one.
Dynamic NAT:
Local addresses are translated to a group or pool of global addresses.
Still dealing with one-to-one translation once a global address has been
selected.
NAT overloading:
Special type of dynamic NAT in which addresses are translated in a
many-to-many fashion.
Also known as PAT, or Port Address Translation
Dynamic NAT
SA 172.16.10.1
Example: We want NAT to allow the first 31 hosts from each subnet on the
inside to communicate with devices on the outside using a public IP
address.
Note: We will use the 172.16.10.0/24 network to simulate a public
address
Range of public addresses: 172.16.10.1 through 172.16.10.63
10
172.16.10.1
172.16.10.2
172.16.10.3
172.16.10.4
interfaceethernet1
ipaddress10.10.20.1255.255.255.0
ipnatinside
interfaceserial0
ipaddress172.16.10.64255.255.255.0
ipnatoutside
ipnatinsidesourcelist7poolnooverload
!Indicatesthatanypacketsreceivedontheinsideinterfacethat
!arepermittedbyaccesslist7
!willhavethesourceaddresstranslatedtoanaddressoutofthe
!NATpool"nooverload".
accesslist7permit10.10.10.00.0.0.31
accesslist7permit10.10.20.00.0.0.31
!Accesslist7permitspacketswithsourceaddressesrangingfrom
!10.10.10.0through10.10.10.31and10.10.20.0through10.10.20.31.
ipnatpoolnooverload172.16.10.1172.16.10.63prefix24
!
!DefinesaNATpoolnamednooverloadwitharangeofaddresses
!172.16.10.1172.16.10.63
11
172.16.10.1
interfaceethernet1
ipaddress10.10.20.1255.255.255.0
ipnatinside
interfaceserial0
ipaddress172.16.10.64255.255.255.0
ipnatoutside
ipnatinsidesourcelist7poolOVERLOADoverload
!
!Indicatesthatanypacketsreceivedontheinsideinterfacethat
!arepermittedbyaccesslist7willhavethesourceaddress
!translatedtoanaddressoutoftheNATpoolnamedovrld.
!Translationswillbeoverloadedwhichwillallowmultipleinside
!devicestobetranslatedtothesamevalidIPaddress.
accesslist7permit10.10.10.00.0.0.31
accesslist7permit10.10.20.00.0.0.31
!Accesslist7permitspacketswithsourceaddressesrangingfrom
!10.10.10.0through10.10.10.31and10.10.20.0through10.10.20.31
ipnatpoolOVERLOAD172.16.10.1172.16.10.1prefix24
!
!DefinesaNATpoolnamedovrldwitharangeofasingleIP
!address,172.16.10.1.
12
172.16.131.1
172.16.131.2
interfacee0
ipaddress10.10.10.254255.255.255.0
ipnatinside
interfaces0
ipaddress172.16.130.2255.255.255.0
ipnatoutside
ipnatinsidesourcelist7pooltestoverload
ipnatinsidesourcestatic10.10.10.1172.16.131.1
accesslist7permit10.10.10.00.0.0.255
ipnatpooltest172.16.131.2172.16.131.2netmask255.255.255.0
13
Other examples
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186
a0080094e77.shtml#topic1
14
15
Some applications or protocols have direct conflict with Network Address Translation
(NAT) or Port Address Translation (PAT).
Example: IPsec Virtual Private Networks (VPN)
IPsec protocols encapsulate the original IP packet
The protocol type on the IP header changes (to ESP or AH)
There is no TCP or UDP header next to the IP header.
Means that there is no port number for NAT/PAT to translate.
Some mechanisms have been invented to allow IPsec and NAT to coexist.
Those mechanisms include:
NAT Transparency or NAT traversal
IPsec over TCP
IPsec over UDP.
In certain cases you may still be required to disable NAT for VPN traffic, or create
exceptions for it.
16
Troubleshooting
Common NAT/PAT
Issues
Some of the important NAT issues and considerations to keep in mind are:
Having a diagram for the NAT configuration
ACLs are used to tell the NAT device:
"what source IP addresses are to be translated
IP NAT pools are used to specify:
"to what those addresses translate
Marking the IP NAT inside interfaces and the IP NAT outside interfaces
correctly is very important
NAT packets still have to obey routing protocols and reachability rules, so
make sure that every router knows how to reach the desired destinations.
17
18
19
20
Looks good
pool
Looks good
21
10.10.10.1
172.16.6.1
The only entry in the NAT translation table is the static translation for R1's
Fa0/0 interface 10.10.10.1 into 172.16.6.1.
This translation may be causing the problem.
Typical issues with static translations occur when:
there is no route back to the statically translated address, or
when the statically selected global address overlaps with an available
address in the dynamic address pool.
22
?
R3# debug ip icmp
ICMP packet debugging is on
23
23
23
23
23
13:54:00.556:
13:54:02.552:
13:54:04.552:
13:54:06.552:
13:54:07.552:
ICMP:
ICMP:
ICMP:
ICMP:
ICMP:
echo
echo
echo
echo
echo
reply
reply
reply
reply
reply
sent,
sent,
sent,
sent,
sent,
src
src
src
src
src
172.16.11.3,
172.16.11.3,
172.16.11.3,
172.16.11.3,
172.16.11.3,
dst
dst
dst
dst
dst
172.16.6.1
172.16.6.1
172.16.6.1
172.16.6.1
172.16.6.1
The next step, verify whether packets leaving R1 actually reach R3 or not.
This can help us discover if the problem is with NAT a routing problem.
Use icmp debugging on R3 with the debug ip icmp command.
Next, we ping R3 from R1 and observe the out of the debug on R3.
Based on the output of the debug ip icmp command shown, the icmp echo
requests reach R3, but R3s icmp echo replies do not reach R1.
The NAT translation is working but there is a routing issue on R3 toward the
172.16.6.0 destination.
23
?
R3# show ip route 172.16.6.0 255.255.255.0
% Subnet not in table
R3# configure terminal
R3(config)# ip route 172.16.6.0 255.255.255.0 172.16.11.2
R3(config)# exit
R1# ping 172.16.11.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.11.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#
26
SSH
ICMP
ICMP
SSH
We are told that administrators are unable to use Secure Shell (SSH) from
the 10.10.10.0/24 network to routers R3 or R4
But they can accomplish connectivity (ping, etc) from the R1 loopbacks.
The routing protocol used is single area OSPF
Our mission is to restore end-to-end connectivity and make sure SSH is
operational to support management processes.
27
Focus on R3: the output of show ip int serial 0/1/0 shows that an
access-list called FIREWALL-INBOUND is applied to serial 0/1/0
interface on the inbound direction.
show access-lists command and the access list looks correct:
statement number 30 permits TCP connection to 172.16.11.3 TCP port
number 22 (SSH).
30
We have to find out which device has translated the port number from 22 to
2222.
Prime suspect is NAT on R2.
Cautiously, we use debug ip nat on R2
Re-attempt SSH from R1 to R3.
To confirm our findings, we also enter the show ip nat translations
command on R2.
32
We are using TCP 2222 (destination port not the NAT source port); but the
access-list on R3 is permitting TCP 22.
The problem was not the NAT configuration, but a lack of synchronization
between the configuration teams:
The configuration on R2 is doing port mapping to a custom port (2222), but
the access-list configuration on R3 did not consider or account for the
custom port.
We need to correct the FIREWALL-INBOUND on R3
33
R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# ip access-list exten FIREWALL-INBOUND
R3(config-ext-nacl)# permit tcp any host 172.16.11.3 eq 2222
R3(config-ext-nacl)# end
R3#
34
R3# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)# ip access-list exten FIREWALL-INBOUND
R3(config-ext-nacl)# permit tcp any host 172.16.11.3 eq 2222
R3(config-ext-nacl)# end
R3#
R1# ssh -l user 172.16.11.3
Password:
*Aug 23 16:30:42.604: TCP: Random local port generated 43884, network 1
*Aug 23 16:30:26.604: TCB63BF854C created
*Aug 23 16:30:26.604: TCB63BF854C bound to UNKNOWN.43884
*Aug 23 16:30:26.604: TCB63BF854C setting property TCP_TOS (11) 62AF6D55
*Aug 23 16:30:26.604: Reserved port 43884 in Transport Port Agent for TCP IP type 1
*Aug 23 16:30:26.604: TCP: sending SYN, seq 1505095793, ack 0
*Aug 23 16:30:26.604: TCP0: Connection to 172.16.11.3:22, advertising MSS 536
*Aug 23 16:30:26.608: TCP0: state was CLOSED -> SYNSENT [43884 ->
172.16.11.3(22)]
*Aug 23 16:30:26.608: TCP0: state was SYNSENT -> ESTAB [43884 ->
172.16.11.3(22)]
*Aug 23 16:30:26.608: TCP: tcb 63BF854C connection to 172.16.11.3:22, peer MSS
536, MSS is 536
*Aug 23 16:30:26.608: TCB63BF854C connected to 172.16.11.3.22
SSH attempt is successful now. - The problem was not the NAT configuration.
The configuration on R2 was doing port mapping to a custom port (2222) but
the access-list configuration on R3 did not consider or account for the custom
port.
35
Reviewing DHCP
Operation
These commands are most helpful to know during the troubleshooting process,
for example.
DHCPDECLINE client-to-server message - The client through some other
means has discovered that the IP address is already in use.
DHCPNAK - DHCP server refuses the request for a certain configuration
parameter.
37
38
Router(configif)#iphelperaddressaddress
Another issue related to DHCP Relay Agent is that enabling a router
interface with the ip helper-address interface command
Allows you to control which broadcast packets and which protocols are
forwarded.
Address: Destination broadcast or host address to be used when forwarding
UDP broadcasts.
Forwards six protocols (not just DHCP)
TFTP (port 69)
DNS (port 53)
Time Service (port 37)
NetBIOS Name Service and Datagram Service (ports 137 and 138)
TACACS (port 49)
DHCP/BOOTP Client and Server (ports 67 and 68)
If other protocols do not require this service, forwarding their requests
should be disabled using the no ip forward-protocol udp port-number
global configuration mode command.
39
40
42
45
R1 provides DHCP services to the clients in the 10.1.1.0 subnet. (Not R4)
The DHCP clients in this example are routers R2 and R3.
It is reported that R1 is no longer providing reliable DHCP services:
The clients are unable to renew their IP addresses.
46
OK?
YES
YES
YES
YES
Method
DHCP
NVRAM
NVRAM
NVRAM
Status
Protocol
up
up
administratively down down
administratively down down
administratively down down
OK?
YES
YES
YES
YES
Method
DHCP
NVRAM
NVRAM
NVRAM
Status
Protocol
up
up
administratively down down
administratively down down
administratively down down
Check R2 and R3 to make sure that they are configured as a DHCP clients.
The output of the show ip interfaces brief command shows that interface
fa0/0 is configured as a DHCP client and it shows an unassigned IP
address.
Because multiple clients are having the same problem, it is reasonable to
suspect the problem originates elsewhere.
47
OK?
YES
YES
YES
YES
Method
manual
NVRAM
NVRAM
NVRAM
Status
Protocol
up
up
administratively down down
administratively down down
administratively down down
DHCP Troubleshooting
Example 1 Cont.
R1# show ip dhcp server statistics
Memory usage
9106
Address pools
1
Database agents
0
Automatic bindings 0
Manual bindings
0
Expired bindings
0
Malformed messages 0
shows
Secure arp entries 0
Message
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Message
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
DHCP Troubleshooting
Example 1 Cont.
R1# sh ip dhcp pool
Pool vlan10 :
Utilization mark (high/low) : 100/0
Subnet size (first/next)
: 0/0
Total addresses
: 254
Leased addresses
: 0
Pending event
: none
1 subnet is currently in the pool :
Current index
IP address range
10.1.1.12
10.1.1.1 -10.1.1.254
Leased addresses
0
DHCP Troubleshooting
Example 1 Cont.
Port
10
161
162
57767
161
162
60739
In Out
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Stat TTY
0
0
1001
0
1011
0
1011
0
20001
0
20011
0
20011
0
OutputIF
We use the show ip socket command to see the active ports on R1, the
DHCP server.
The show ip socket command is not frequently used by network
administrators, but it is very handy in monitoring the open ports on a router
There is no entry for UDP port 67 (DHCP Server).
This is certainly a problem.
DHCP Troubleshooting
Example 1 Cont.
R1# conf t
R1(config)# service dhcp
R1# show ip sockets
Proto Remote
Port
88
--listen-17
--listen-17
--listen-17
--listen-17
--listen-17
--listen-17
--listen-17 0.0.0.0
0
Local
10.1.1.1
10.1.1.1
10.1.1.1
10.1.1.1
--any---any---any-10.1.1.1
Port
10
161
162
57767
161
162
60739
67
In Out
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Stat TTY
0
0
1001
0
1011
0
1011
0
20001
0
20011
0
20011
0
2211
0
OutputIF
54
55
DHCP Troubleshooting
Example 2 Cont.
DHCP Troubleshooting
Example 2 Cont.
Detection time
Aug 23 2009 06:28
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
Aug 23 2009 06:29
PM
PM
PM
PM
PM
PM
PM
PM
PM
PM
PM
VRF
show ip dhcp conflict command will tell us whether the DHCP server has
found overlap or duplication in the IP addresses that it has assigned.
One of the many conflicting addresses is 10.1.1.1, which is the new ip
address of router R1 (the dhcp server itself) on interface fa0/0.
However, we know that the DHCP server should not provide its own IP
address to its clients!
Many devices such as servers and printers are usually configured as DHCP
clients and have static IP addresses.
If their addresses are not excluded from the DHCP dynamic pool, there will
definitely be conflict problems.
We must check and verify which IP addresses are being excluded on R1,
the DHCP server.
We do that using the show running | include excluded command.
The only IP address excluded from the DHCP dynamic pool is 10.1.1.100,
which is R1s old address.
58
R1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# no ip dhcp excluded-address 10.1.1.100
R1(config)# ip dhcp excluded-address 10.1.1.1 10.1.1.20
R1(config)# end
R1#
?
?
DHCP
Troubleshooting
Example 3 Cont.
R1# debug ip udp
UDP packet debugging is on
R1#
R1#
*Aug 23 19:01:05.303: UDP:
length=584
*Aug 23 19:01:05.303: UDP:
dst=192.168.1.255
*Aug 23 19:01:08.911: UDP:
length=584
*Aug 23 19:01:08.911: UDP:
dst=192.168.1.255
*Aug 23 19:01:12.911: UDP:
length=584
*Aug 23 19:01:12.911: UDP:
dst=192.168.1.255
<output omitted>
One of the quickest ways to verify DHCP relay agent operations is using the debug
ip udp command.
R1 is certainly receiving DHCP requests but is dropping them.
The UDP/IP packets shown have a source address of 0.0.0.0, destination address of
255.255.255.255 with source UDP port of 68 (DHCP client) and destination UDP port
of 67 (DHCP server).
The problem could be that the fa 0/0 interface facing the DHCP client is missing the
ip helper-address command pointing to 192.168.1.4.
sent
rcvd
sent
rcvd
rcvd
rcvd
rcvd
src=0.0.0.0(67), dst=255.255.255.255(68),length=308
src=0.0.0.0(68), dst=255.255.255.255(67),length=584
src=0.0.0.0(67), dst=255.255.255.255(68),length=308
src=0.0.0.0(68), dst=192.168.1.4(67), length=584
src=0.0.0.0(68), dst=192.168.1.4(67), length=584
src=10.1.1.11(53470), dst=255.255.255.255(69),length=30
src=10.1.1.11(53470), dst=255.255.255.255(69),length=30
rcvd
rcvd
rcvd
rcvd
src=10.1.1.11(53470), dst=255.255.255.255(69),length=29
src=10.1.1.11(53470), dst=255.255.255.255(69),length=29
src=10.1.1.11(53470), dst=255.255.255.255(69),length=29
src=0.0.0.0(68), dst=192.168.1.4(67), length=584
debug ip udp command on R4, shows the DHCP Requests are being forwarded to
R1
DHCP messages fro the server are being received
Finally, we verify the status of the DHCP clients, such as R2, in the 10.1.1.0 subnet,
and see that they are acquiring IP address and other parameters from the DHCP
server.
IPv6