Send redback-nsp mailing list submissions to
redback-nsp@puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/redback-nsp
or, via email, send a message with subject or body 'help' to
redback-nsp-requ...@puck.nether.net
You can reach the person managing the list at
redback-nsp-ow...@puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of redback-nsp digest..."
Today's Topics:
1. Some problems with NAT enhanced in SE600
(???????? ????? ???????????)
2. Re: Some problems with NAT enhanced in SE600 (Rafal)
3. Re: Some problems with NAT enhanced in SE600 (Dmitry)
4. Re: Some problems with NAT enhanced in SE600 (Dmitry)
----------------------------------------------------------------------
Message: 1
Date: Mon, 07 Nov 2016 11:12:39 +0300
From: ???????? ????? ??????????? <roma...@serdi.ru>
To: redback-nsp <redback-nsp@puck.nether.net>
Subject: [rbak-nsp] Some problems with NAT enhanced in SE600
Message-ID: <883031478506...@web15m.yandex.ru>
Content-Type: text/plain; charset="us-ascii"
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/f8b07ff4/attachment-0001.html>
------------------------------
Message: 2
Date: Mon, 7 Nov 2016 10:34:45 +0100
From: Rafal <go...@mtm-info.pl>
To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp
<redback-nsp@puck.nether.net>
Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600
Message-ID: <7310727574.20161107103...@mtm-info.pl>
Content-Type: text/plain; charset="utf-8"
Hello ????????,
That's how enhanced NAT works.
Because enhanced nat force connection to use router supplied port ranges, some
software will not work.
I preffer to stick with normal nat.
If you need logging, then use single address for each nat subnet, and then add
flow profile in
subscriber default section, like
flow apply ip profile logprofile both
and:
!
flow collector SubsLog
ip-address ipaddress context colectorcontext
port mycollectorport
export-version v5
transport-protocol udp
ip profile logprofile
!
ip nat pool ip_lan1_nat napt multibind
address publicip/32 port-block 1 to 15
!
nat policy ip_lan1_nat_policy
! Default class
ignore
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
! Named classes
access-group NATACL
class NAT
pool ip_lan1_nat mycontext
timeout tcp 6000
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
class NATLESS
ignore
inbound-refresh udp
icmp-notification
!
Put in NATLESS your DNS servers and local network devices you need.
Using enhanced NAT you can NAT like 2000 users per single card and then you
run out of microblocks on card because every subscriber have reserved port
ranges and
amount of possible open connection even if he only activate and do nothing.
Rafal
Monday, November 7, 2016, 9:12:39 AM, you wrote:
Here is my NAT config
local]Redback#sh configuration nat
Building configuration...
Current configuration:
!
context local
!
nat logging-profile NAT_LOG_RUBTSOVSK
export-version v9
destination 192.168.0.40 port 9996
!
context local
!
ip nat pool NAPT-pool-1 napt paired-mode
paired-mode subscriber over-subscription 10 port-limit 6000
address 41.215.233.161 to 41.215.233.190
exclude well-known
!
context local
!
policy access-list NAT-acl
seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1
seq 20 permit ip any any class NO_NAT
!
nat policy NAT-1 enhanced
connections tcp maximum 2000
connections udp maximum 2000
connections icmp maximum 30
! Default class
ignore
timeout tcp 1800
timeout udp 60
timeout fin-reset 60
timeout icmp 30
timeout syn 60
timeout basic 300
timeout abandoned 1800
admission-control tcp
admission-control udp
admission-control icmp
endpoint-independent filtering tcp
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
! Named classes
access-group NAT-acl
class NATclass1
pool NAPT-pool-1 local
timeout tcp 18000
timeout udp 60
timeout fin-reset 60
timeout icmp 30
timeout syn 60
timeout abandoned 1800
endpoint-independent filtering tcp
endpoint-independent filtering udp
inbound-refresh udp
icmp-notification
class NO_NAT
ignore
inbound-refresh udp
icmp-notification
!
end
With such config we have problem with Skype - no connection - even test
connection!
problem with online games such as steam, Dota and etc...
With public IP (no NAT) everything is ok - Skype. games and so on....
What I have forgotten?
------------------------------------------------
? ????????? ???????? ?????
??????????? ????????
??? "????? ???????"
???. +7 87951 35529
+7 9624 335529
???? ????????
www.serdi.ru
--
Best regards,
Ozga Rafal mailto:go...@mtm-info.pl
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/63a7e349/attachment-0001.html>
------------------------------
Message: 3
Date: Mon, 7 Nov 2016 12:58:13 +0300
From: Dmitry <dmi...@zhigulinet.ru>
To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp
<redback-nsp@puck.nether.net>
Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600
Message-ID: <34a25023-fcdb-4eea-4c4b-8b38b8cd3...@zhigulinet.ru>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hello, show all config and show version
On 07.11.2016 11:12, ???????? ????? ??????????? wrote:
>
> Here is my NAT config
>
> local]Redback#sh configuration nat
>
> Building configuration...
>
> Current configuration:
> !
> context local
> !
> nat logging-profile NAT_LOG_RUBTSOVSK
> export-version v9
> destination 192.168.0.40 port 9996
> !
> context local
> !
> ip nat pool NAPT-pool-1 napt paired-mode
> paired-mode subscriber over-subscription 10 port-limit 6000
> address 41.215.233.161 to 41.215.233.190
> exclude well-known
> !
> context local
> !
> policy access-list NAT-acl
> seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1
> seq 20 permit ip any any class NO_NAT
> !
> *nat policy NAT-1 enhanced*
> connections tcp maximum 2000
> connections udp maximum 2000
> connections icmp maximum 30
> ! Default class
> ignore
> timeout tcp 1800
> timeout udp 60
> timeout fin-reset 60
> timeout icmp 30
> timeout syn 60
> timeout basic 300
> timeout abandoned 1800
> admission-control tcp
> admission-control udp
> admission-control icmp
> *endpoint-independent filtering tcp*
> *endpoint-independent filtering udp*
> inbound-refresh udp
> icmp-notification
> ! Named classes
> access-group NAT-acl
> class NATclass1
> pool NAPT-pool-1 local
> timeout tcp 18000
> timeout udp 60
> timeout fin-reset 60
> timeout icmp 30
> timeout syn 60
> timeout abandoned 1800
> *endpoint-independent filtering tcp*
> *endpoint-independent filtering udp*
> inbound-refresh udp
> icmp-notification
> class NO_NAT
> ignore
> inbound-refresh udp
> icmp-notification
> !
> end
>
> With such config we have problem with Skype - no connection - even
> test connection!
> problem with online games such as steam, Dota and etc...
> With public IP (no NAT) everything is ok - Skype. games and so on....
> What I have forgotten?
> ------------------------------------------------
> ? ????????? ???????? ?????
> ??????????? ????????
> ??? "????? ???????"
> ???. +7 87951 35529
> +7 9624 335529
> ???? ????????
> www.serdi.ru
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/2d035dd1/attachment-0001.html>
------------------------------
Message: 4
Date: Mon, 7 Nov 2016 12:58:54 +0300
From: Dmitry <dmi...@zhigulinet.ru>
To: ???????? ????? ??????????? <roma...@serdi.ru>, redback-nsp
<redback-nsp@puck.nether.net>
Subject: Re: [rbak-nsp] Some problems with NAT enhanced in SE600
Message-ID: <82d0ad30-fc5a-cbb4-b36e-ec9b69012...@zhigulinet.ru>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
and show problem subsriber
show subscriber active username test_user
On 07.11.2016 11:12, ???????? ????? ??????????? wrote:
>
> Here is my NAT config
>
> local]Redback#sh configuration nat
>
> Building configuration...
>
> Current configuration:
> !
> context local
> !
> nat logging-profile NAT_LOG_RUBTSOVSK
> export-version v9
> destination 192.168.0.40 port 9996
> !
> context local
> !
> ip nat pool NAPT-pool-1 napt paired-mode
> paired-mode subscriber over-subscription 10 port-limit 6000
> address 41.215.233.161 to 41.215.233.190
> exclude well-known
> !
> context local
> !
> policy access-list NAT-acl
> seq 10 permit ip 192.168.128.0 0.0.127.255 any class NATclass1
> seq 20 permit ip any any class NO_NAT
> !
> *nat policy NAT-1 enhanced*
> connections tcp maximum 2000
> connections udp maximum 2000
> connections icmp maximum 30
> ! Default class
> ignore
> timeout tcp 1800
> timeout udp 60
> timeout fin-reset 60
> timeout icmp 30
> timeout syn 60
> timeout basic 300
> timeout abandoned 1800
> admission-control tcp
> admission-control udp
> admission-control icmp
> *endpoint-independent filtering tcp*
> *endpoint-independent filtering udp*
> inbound-refresh udp
> icmp-notification
> ! Named classes
> access-group NAT-acl
> class NATclass1
> pool NAPT-pool-1 local
> timeout tcp 18000
> timeout udp 60
> timeout fin-reset 60
> timeout icmp 30
> timeout syn 60
> timeout abandoned 1800
> *endpoint-independent filtering tcp*
> *endpoint-independent filtering udp*
> inbound-refresh udp
> icmp-notification
> class NO_NAT
> ignore
> inbound-refresh udp
> icmp-notification
> !
> end
>
> With such config we have problem with Skype - no connection - even
> test connection!
> problem with online games such as steam, Dota and etc...
> With public IP (no NAT) everything is ok - Skype. games and so on....
> What I have forgotten?
> ------------------------------------------------
> ? ????????? ???????? ?????
> ??????????? ????????
> ??? "????? ???????"
> ???. +7 87951 35529
> +7 9624 335529
> ???? ????????
> www.serdi.ru
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/redback-nsp/attachments/20161107/0c5bf77b/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
redback-nsp mailing list
redback-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/redback-nsp
------------------------------
End of redback-nsp Digest, Vol 105, Issue 1
*******************************************
