思科2821路由器出现的怪现象求大家帮看一下,谢谢~~!

viv#sh run
Building configuration...
" ^% t* k; P! E" g- ~
Current configuration : 1676 bytes
4 Q# R8 G( B( R1 ?!
- O  o* F0 V! z% Y5 A/ Jversion 12.4
service timestamps debug datetime msec
4 b/ H6 l: K  N0 L# dservice timestamps log datetime msec
service password-encryption
! e# K7 d$ E/ y8 L!
hostname viv
, o' U' r4 _7 p! G1 L!
boot-start-marker
boot-end-marker
& c4 \( y9 [& a!
enable password 7 020706585A545C6D
3 p; B. }3 p  [* d8 U!
1 W% \) b( U' wno aaa new-model
!
) n+ w4 s- u; ~, o, Nresource policy
! f3 W: z# p$ b1 m0 _; Z+ N!
!
% h1 L+ X/ H  l!
ip cef
8 E& b' `& ?, \, @- v. P!
; Q& r# r# j. n% T!
!
voice-card 0
$ `! I' _5 a1 Y) n9 [ no dspfarm
9 h4 m/ x" z# b: ?' k& \!
!
. u7 y4 K6 o% I" m5 ^5 A2 j! w!
!
/ X' i+ u. M( i& e; G1 W( p$ H!
2 _5 w0 \; _8 ~" t9 o!
8 N  |0 n0 j& H  Y* h; E1 D3 h!
!
!
5 E+ B2 ^6 X. t) D. F, c9 U; J+ O!
!
!
!
* k  |/ Y* Q" P; n5 e; J1 |* f" i!
!
: z! P3 U0 y2 ^0 R% |!
!
!
# v& J' o, L; R!
  v/ B* V# m" n, ~) u!
interface GigabitEthernet0/0
' y$ b0 a2 s  x0 ] ip address 172.30.30.18 255.255.255.252
ip nat outside
! s* J7 T' [0 z9 N7 G0 w duplex auto
speed auto
!
5 U- N) a) G, t, h3 ]* uinterface GigabitEthernet0/1
ip address 211.111.226.145 255.255.255.248 secondary
ip address 124.190.155.113 255.255.255.248 secondary
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.70
* H( m2 ^3 I4 d7 s  P( A$ V7 ] ip accounting output-packets
ip nat inside
duplex auto
speed auto
& ]6 L7 Q& h2 R6 h$ z!
ip route 0.0.0.0 0.0.0.0 172.30.30.17
, B( F+ S  y' N!
" j) |( r/ S% _% k1 |. x!
+ T3 m. }' ~- Ino ip http server
no ip http secure-server
/ n2 Z% Q5 [7 x" L0 m4 g* pip nat pool viv 211.111.226.150 211.111.226.150 netmask 255.255.255.252
ip nat inside source list 1 pool viv overload
ip nat inside source static tcp 192.168.1.76 443 124.190.155.114 443 extendable
0 I2 `% C! `6 k; Fip nat inside source static tcp 192.168.1.70 3389 124.190.155.115 3389 extendabl
e
9 ?7 m/ ]6 H3 F+ H! m" p% k; N! Rip nat inside source static tcp 192.168.1.77 5756 124.190.155.116 5756 extendabl
- E1 a2 h! a' {' ^e
ip nat inside source static tcp 192.168.1.74 25 124.190.155.117 25 extendable
, v5 f* t7 K" [- j3 @3 \1 Bip nat inside source static tcp 192.168.1.74 110 124.190.155.117 110 extendable
2 o$ x. a0 `+ Y7 |( Q; Pip nat inside source static tcp 192.168.1.74 443 124.190.155.117 443 extendable
* }" J% L$ `, V, x( t5 bip nat inside source static tcp 192.168.1.75 80 124.190.155.118 80 extendable
! U& l/ u! \6 K3 A!
access-list 1 permit 192.168.1.0 0.0.0.255
0 M1 ~6 d6 O6 t6 [, x!
& \4 _6 Q5 e) u) Z/ G!
, [2 u+ n2 s. a# V. G!
# y" r. V1 X' B& g" S& Ycontrol-plane
!
!
!
!
3 f1 W+ Z! b  L0 q, j( M: d3 f. N+ ]+ J!
# y# F3 Z' E; s* e5 [5 ~1 [( V( V!
!
! Z9 W8 o" e. ]* e2 r8 l!
# S  y! Y  ]' y+ Q. `6 Q!
) \' U. R0 i  ?# @7 ^) @line con 0
2 Y& f% K0 J! n# L: u/ g7 X4 Pline aux 0
line vty 0 4
password 7 08204E4D584B565B
# ?+ v% [; l. Y- Q' X/ I$ y( Q login
!
7 o+ u$ ?( z4 `+ n$ wscheduler allocate 20000 1000
!
# ?9 _$ F, o! r0 X3 {end

viv#
' o9 z+ l8 s1 r! ^5 g
事情是这样的,用户有几台服务器需要外网访问,上边是用户的路由器配置,G0/0为外口,G0/1为内口,用户有两段各8个公网IP地址,与ISP用的4个私网地址互联,上联ISP端为华为5700三层交换机,路由设置为
, p+ ~: f- t, m8 s. ~1 R. o, eip route-static 124.190.155.112 255.255.255.248 172.30.30.18
ip route-static 211.111.226.144 255.255.255.248 172.30.30.18
6 r; T3 t) Y2 _$ ^, L5 S1 _9 T; ]& Y目前用户内网有两台可用服务器,IP地址分别为192.168.1.70和192.168.1.77,开启远程桌面连接服务,192.168.1.70用的124.190.155.115作的TCP3389端口映射,而192.168.1.77用的124.190.155.116作的TCP5756端口映射,都可以正常连接,后边的几个地址作好了映射但是服务器没有到位,现在发现一个问题,我在外网(与用户的ISP不是同一个ISP)测试这些地址,发现只有124.190.155.113到116可以ping通,而ping124.190.155.117丢包非常严重,124.190.155.118则根本不通,ping211.111.226.145和当前地址池里的211.111.226.150也可以ping通,如果把124.190.155.118作一地址池则124.190.155.118也可以ping通,本以为没接服务器不能ping通,但是发现124.190.155.114也没有接服务器则可以ping通,不知此问题出在什么地方.把上边远程桌面的124.190.155.116改为124.190.155.118让此服务器通过124.190.155.118则无法打开远程连接.ISP方面也查过上端路由指向及是否存在垃圾路由但均显示是正常的.
) s/ B& q7 s* g  Z/ k  D用户物理结构从ISP华为5700通过一对单模双芯光转换器接到一台H3C的两层交换机再到一台锐捷两层交换机,交换机间使用trunk加VLAN方式连接,在锐捷两层交换机端口上作的限速(用户10M带宽),锐捷设备端对应用户端口接了一点对点微波设备无线打到用户端15楼,再背对背接另一套无线策波设备打到用户端.
这个问题困扰了用户和ISP很久一直未能解决,开始时包括用户网关的所有地址外网均无法ping通,路由器远程也无法telnet,但后来不知怎么这些好了,但是124.190.155.118还是不行,但用户普通上网一直是正常的.上传下载速率也够,ping外网也不丢包....好奇怪.......

更正一下,用户的路由器型号我弄错了,是思科2821,不是2811........
为了尊重用户,用户的公网地址我在这里稍作了些改变.

又发现一个情况,在用户路由器上ping不通124.190.155.118,sh arp也看不到此地址的MAC,其他的地址都可以ping通也能看到MAC地址,clear arp过也不行!
+ N% n; Y+ n$ e% ^& v
viv#ping 124.190.155.118

Type escape sequence to abort.
% c6 `/ _5 m4 p) NSending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
) n4 e: o( Q( k' {: V+ b.....
. Y+ X5 f7 x( M  w$ Q6 M+ RSuccess rate is 0 percent (0/5)
; K* |4 W4 Y( N/ Q+ @viv#
  y- p& m$ r# l
% M$ M( W9 R1 v6 J但是其他 的地址全可以通.....
viv#ping 124.190.155.117
" ~' }( V6 \3 n
+ Q6 M0 A2 R, h, q, A& K" s9 [Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.117, timeout is 2 seconds:
: z5 m& J6 t# [5 ~6 k  a!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
viv#ping 124.190.155.116
7 u" r: u5 r/ `. q  m0 n5 p3 r! k8 p
1 _* O$ y, e3 Y/ H+ lType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.116, timeout is 2 seconds:
7 C4 K: o- g; x3 y1 J!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#ping 124.190.155.115
9 Y" h7 A, `1 U8 t% k- ~
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.115, timeout is 2 seconds:
!!!!!
+ m8 J, e; P3 k2 ~% S  K, v. D5 F9 ~% iSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
. S8 e' V' U) E6 Jviv#ping 124.190.155.114

Type escape sequence to abort.
. I/ e* g! n* t) mSending 5, 100-byte ICMP Echos to 124.190.155.114, timeout is 2 seconds:
3 }3 i! B) K* G, Q& N, X7 ^6 l5 j!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
! f) |* ]- O+ d6 u: V  T# V# [viv#
- q) M& S7 d" K! m+ bviv#ping 211.111.226.150
* \. a8 I  Z  \9 l& c9 e
7 }, Q) Z3 {' p1 j( ZType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.111.226.150, timeout is 2 seconds:
* N( @0 v( z# P- _7 T; f. B8 H$ g!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
! V$ m" X9 V( H  X! h  _viv#

汗,我刚才试着把124.190.155.118那条静态映射删除重新写了下,在路由器里可以ping通了,但是从外网仍ping不通,之前操作是我把124.190.155.118放到地址池里作转换从外网可以ping通,但放回静态映射后从外网就不通了~~~
% f5 Y; u8 o6 C1 \" o) S
0 z, g, n" S. `: V1 j* R: yviv#ping 124.190.155.118
9 N$ Q# J3 C. W% G& C3 O4 F% ~
" D" F  X6 P( `; K9 M6 G0 jType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
1 E: J; p( @7 S# v1 a" U!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

' @* i! }; G, g4 m4 P会是用户路由器本身的问题么?
0 }+ n. p1 x) h- n( H7 n$ g. Z3 j  ?用户表示他换过一台路由器了也没什么效果.
下面是用户路由器版本信息
- T( @) D0 r: x( L% i) lviv# sh ver
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(6)T7, R
ELEASE SOFTWARE (fc5)
Technical Support:
Copyright (c) 1986-2007 by Cisco Systems, Inc.
3 C( K; d+ h3 q; kCompiled Thu 29-Mar-07 05:08 by khuie
8 V2 A& l- `  a8 M! A+ y' Q
1 F+ S/ A" s" q4 bROM: System Bootstrap, Version 12.4(13r)T6, RELEASE SOFTWARE (fc1)

" y; n' T9 S& \+ Cviv uptime is 1 week, 11 hours, 54 minutes
' V7 Z4 a8 e3 J2 v( fSystem returned to ROM by reload at 02:13:17 UTC Tue Jul 16 2013
* [( G2 _/ ^5 O  R9 K2 SSystem image file is "flash:c2800nm-spservicesk9-mz.124-6.T7.bin"

. s  Z2 {, ?8 O; e8 m" U
8 I' X# S& ^7 M6 [( z# i! SThis product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
' ^- L  I* T/ A. `; Quse. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
: S- F/ l& Q# @, O2 t: d; ]Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
" k; n3 d; R9 Q2 d" Y8 `1 dto comply with U.S. and local laws, return this product immediately.
% L6 j9 Y: ^; X/ _  V( Q4 E/ L: R3 C
% l' K9 }6 H3 ]  }9 V( aA summary of U.S. laws governing Cisco cryptographic products may be found at:


If you require further assistance please contact us by sending email to
* ~+ c: b+ X8 g+ `+ W.
( \9 x, S  v; d5 j( U+ K
Cisco 2821 (revision 53.51) with 514048K/10240K bytes of memory.
Processor board ID FTX0902D0SB
2 Gigabit Ethernet interfaces
  M( h  m3 C. C3 _0 vDRAM configuration is 64 bits wide with parity enabled.
7 [1 b" n3 ]% D! c  Y' s+ q* A239K bytes of non-volatile configuration memory.
7 S0 a; ]/ D2 u6 U62720K bytes of ATA CompactFlash (Read/Write)
5 ^. Y& u# n7 a  D' ]1 h
+ M6 B# U- v- z* O3 z9 F6 QConfiguration register is 0x2102
$ h+ m0 t  e) O* N( p& G+ ~! a. |
3 I% ~4 c6 S4 C& u- |% j  Gviv#

cisco设备在启用nat后都可以ping得通，只要路由正常；
如果想不让cisco设备进行自动arp应答，可以使用 no-alias ；

不错不错，楼主您辛苦了。。。

没看完~~~~~~ 先顶，好同志

写的真的很不错

小手一抖，金币到手！