思科2821路由器出现的怪现象求大家帮看一下,谢谢~~!

viv#sh run
Building configuration...

Current configuration : 1676 bytes
!
5 a% v3 b+ \" i* @version 12.4
: G- S) Z$ b$ y6 y  @service timestamps debug datetime msec
5 S5 I* u' y+ S5 A8 Y1 N) n: b0 ]service timestamps log datetime msec
- o, F7 F$ @9 z- d2 Zservice password-encryption
  A1 Z7 L, x, K!
7 C8 m/ G* \6 m# {hostname viv
5 N( R. @2 `5 @; O- M! g  {!
boot-start-marker
+ \4 S, }! V4 f# ], G8 i5 ?boot-end-marker
" N, p" h) p5 j  R1 Y!
enable password 7 020706585A545C6D
4 t: Z$ E# u6 i5 F!
no aaa new-model
!
0 k7 P# e' W- h. Y* `resource policy
!
. u8 S$ D3 i+ N, k!
( W2 v; A1 o- L. U5 ]+ }!
: u* |3 k5 Q, M+ J5 a! Xip cef
2 ]- h- u8 k* W2 A7 x! B!
!
!
( f# N4 f( o" D  B$ F2 Wvoice-card 0
no dspfarm
1 X( X* I) U7 k1 Q4 x!
( E4 T: m  r6 P!
!
!
+ M7 u/ W$ r, s1 |9 I!
!
!
!
!
1 C* M: C  h, O. I!
!
!
!
. v+ k' ?7 G" b: Z!
!
+ ]6 g( F& R' q!
!
!
!
, z* U! ?( B* w! j9 d1 r( p/ c' z+ h!
6 d/ d( @; s# [+ X4 C- d: Z% Tinterface GigabitEthernet0/0
ip address 172.30.30.18 255.255.255.252
, j! j( r3 B8 r ip nat outside
duplex auto
0 ^+ L& |' b! R/ P" R/ y speed auto
; c. H/ G9 n4 D- `% x' |# L!
6 O, F$ x6 d! M3 Binterface GigabitEthernet0/1
/ M* H- A3 d/ ]; B; k* X ip address 211.111.226.145 255.255.255.248 secondary
ip address 124.190.155.113 255.255.255.248 secondary
( _7 o  C) i/ c3 g' v7 t: z ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.70
" w$ _0 S, v, f+ ] ip accounting output-packets
9 s7 Y2 ~4 E$ s3 ]" l ip nat inside
" H' ]! k9 H! V: z  }: w6 R duplex auto
5 ~  l- U* p" p5 P$ N2 J* O speed auto
5 F" t2 a' I1 a# ^% J. u!
- F! G3 N9 k" B$ hip route 0.0.0.0 0.0.0.0 172.30.30.17
!
2 R" `3 `" o1 c1 L* J7 E!
no ip http server
no ip http secure-server
6 S- R$ v: t" Z9 dip nat pool viv 211.111.226.150 211.111.226.150 netmask 255.255.255.252
ip nat inside source list 1 pool viv overload
" `2 D& s# P. o3 A7 pip nat inside source static tcp 192.168.1.76 443 124.190.155.114 443 extendable
ip nat inside source static tcp 192.168.1.70 3389 124.190.155.115 3389 extendabl
1 ~: b/ `; J' ~! H6 {  ]5 v' Re
ip nat inside source static tcp 192.168.1.77 5756 124.190.155.116 5756 extendabl
) V) P' Q3 \+ w! i, N6 D. I8 ~e
$ X9 e$ d7 ^5 Lip nat inside source static tcp 192.168.1.74 25 124.190.155.117 25 extendable
ip nat inside source static tcp 192.168.1.74 110 124.190.155.117 110 extendable
: u3 Q" c" X7 h5 Pip nat inside source static tcp 192.168.1.74 443 124.190.155.117 443 extendable
ip nat inside source static tcp 192.168.1.75 80 124.190.155.118 80 extendable
5 ~* E/ k6 x5 z: Y!
access-list 1 permit 192.168.1.0 0.0.0.255
5 W+ O5 N/ J  c!
3 u3 F% r# o+ e9 ]!
" R$ s: v- h8 J# K( M  @!
: @1 B. j, r& A, E  }( S8 q4 qcontrol-plane
! F" Z) j: o+ [" H% _/ v!
, d% m$ D# X  T& ?0 S: z!
!
!
!
!
/ v( c% d# d8 z" J!
!
  A: ~/ D! }, q- Y3 B# M% N( y: Z!
) O8 P* ?! `+ hline con 0
line aux 0
line vty 0 4
password 7 08204E4D584B565B
$ c, `& X4 d; D! J$ q login
!
scheduler allocate 20000 1000
!
  v1 H. x: A4 u6 @, A, ^end

6 e0 g3 S. S5 yviv#

1 y+ r% N) t: r. s. r事情是这样的,用户有几台服务器需要外网访问,上边是用户的路由器配置,G0/0为外口,G0/1为内口,用户有两段各8个公网IP地址,与ISP用的4个私网地址互联,上联ISP端为华为5700三层交换机,路由设置为
ip route-static 124.190.155.112 255.255.255.248 172.30.30.18
ip route-static 211.111.226.144 255.255.255.248 172.30.30.18
目前用户内网有两台可用服务器,IP地址分别为192.168.1.70和192.168.1.77,开启远程桌面连接服务,192.168.1.70用的124.190.155.115作的TCP3389端口映射,而192.168.1.77用的124.190.155.116作的TCP5756端口映射,都可以正常连接,后边的几个地址作好了映射但是服务器没有到位,现在发现一个问题,我在外网(与用户的ISP不是同一个ISP)测试这些地址,发现只有124.190.155.113到116可以ping通,而ping124.190.155.117丢包非常严重,124.190.155.118则根本不通,ping211.111.226.145和当前地址池里的211.111.226.150也可以ping通,如果把124.190.155.118作一地址池则124.190.155.118也可以ping通,本以为没接服务器不能ping通,但是发现124.190.155.114也没有接服务器则可以ping通,不知此问题出在什么地方.把上边远程桌面的124.190.155.116改为124.190.155.118让此服务器通过124.190.155.118则无法打开远程连接.ISP方面也查过上端路由指向及是否存在垃圾路由但均显示是正常的.
5 S  C  f1 q1 u4 p" ~$ ]! \; f用户物理结构从ISP华为5700通过一对单模双芯光转换器接到一台H3C的两层交换机再到一台锐捷两层交换机,交换机间使用trunk加VLAN方式连接,在锐捷两层交换机端口上作的限速(用户10M带宽),锐捷设备端对应用户端口接了一点对点微波设备无线打到用户端15楼,再背对背接另一套无线策波设备打到用户端.
, N# j1 w6 `( i: g0 P. E; T$ g! h7 Z这个问题困扰了用户和ISP很久一直未能解决,开始时包括用户网关的所有地址外网均无法ping通,路由器远程也无法telnet,但后来不知怎么这些好了,但是124.190.155.118还是不行,但用户普通上网一直是正常的.上传下载速率也够,ping外网也不丢包....好奇怪.......

更正一下,用户的路由器型号我弄错了,是思科2821,不是2811........
为了尊重用户,用户的公网地址我在这里稍作了些改变.

又发现一个情况,在用户路由器上ping不通124.190.155.118,sh arp也看不到此地址的MAC,其他的地址都可以ping通也能看到MAC地址,clear arp过也不行!

0 B" s. ]7 w; X0 f' P( Zviv#ping 124.190.155.118
& _. z: S2 e/ Z; O% x
Type escape sequence to abort.
0 s! N! q5 T$ e; E! P, C4 TSending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
" q6 T/ x. W- ]9 r.....
Success rate is 0 percent (0/5)
0 z% }. K! }4 Vviv#
; n% h( ^) [0 z# b7 ]+ d
) w# _; ~& g6 b, V$ Y1 i: y但是其他 的地址全可以通.....
viv#ping 124.190.155.117
3 q3 R6 r% |: F; T* n9 j
0 v- l) S* B5 S5 m  V' i8 a+ vType escape sequence to abort.
: \* u% M7 u6 _! S$ I+ bSending 5, 100-byte ICMP Echos to 124.190.155.117, timeout is 2 seconds:
+ s1 Y$ F$ P2 U% w9 Z, M!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
5 j2 ?: k+ ~5 N0 @9 y, ~+ cviv#ping 124.190.155.116
. A6 y7 r3 `! x8 v- e- Y
Type escape sequence to abort.
9 r: t1 |: N2 H7 ESending 5, 100-byte ICMP Echos to 124.190.155.116, timeout is 2 seconds:
!!!!!
7 }/ u. {/ O. t1 R; T+ cSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#ping 124.190.155.115
: V" A% {% f1 ]* [  I7 X
Type escape sequence to abort.
8 ~5 T& X/ \9 sSending 5, 100-byte ICMP Echos to 124.190.155.115, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#ping 124.190.155.114

- n9 L/ h4 S6 i9 J# c; QType escape sequence to abort.
2 _. B! b3 c/ o9 {; d: mSending 5, 100-byte ICMP Echos to 124.190.155.114, timeout is 2 seconds:
- O" p5 _& ~/ K1 k!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
. [( }0 f" ?' e) y, N/ yviv#
9 B8 D8 i% E! @  ^& M' E- u3 zviv#ping 211.111.226.150

Type escape sequence to abort.
7 [3 p, y7 H- x8 V# JSending 5, 100-byte ICMP Echos to 211.111.226.150, timeout is 2 seconds:
!!!!!
! g2 I* W! h* H' g0 t" ]Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#

汗,我刚才试着把124.190.155.118那条静态映射删除重新写了下,在路由器里可以ping通了,但是从外网仍ping不通,之前操作是我把124.190.155.118放到地址池里作转换从外网可以ping通,但放回静态映射后从外网就不通了~~~

viv#ping 124.190.155.118
+ {4 @- j9 c4 ^3 H. l3 m
: \3 o/ N9 k1 j8 `) M* F* HType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
6 D( G3 E6 l+ G4 b; c!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
& x# {* R6 r( A4 n1 m9 ^1 ?
会是用户路由器本身的问题么?
" l1 ?7 ]7 \# Y8 Z用户表示他换过一台路由器了也没什么效果.
下面是用户路由器版本信息
2 A, r: v+ ~9 i* i2 Y% O6 Uviv# sh ver
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(6)T7, R
) n3 m2 g% a; R/ ?) V5 N- A  j0 KELEASE SOFTWARE (fc5)
- k4 ^% p4 j/ N% f2 X: W, E( rTechnical Support:
* X0 |/ B/ O0 _5 R& i3 CCopyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 29-Mar-07 05:08 by khuie
- R4 H( v, X2 T( D
ROM: System Bootstrap, Version 12.4(13r)T6, RELEASE SOFTWARE (fc1)

viv uptime is 1 week, 11 hours, 54 minutes
+ H% }7 c1 G; n, X) VSystem returned to ROM by reload at 02:13:17 UTC Tue Jul 16 2013
System image file is "flash:c2800nm-spservicesk9-mz.124-6.T7.bin"
& d9 b* r& K! C' e0 G( [0 K8 o

6 P+ K* k! F7 Y. EThis product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
, n3 E, H: t1 {( tImporters, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
5 x- t! v( n/ y; I4 P5 z5 l; ato comply with U.S. and local laws, return this product immediately.
' [+ \- y# ~& N  ~$ z) B
A summary of U.S. laws governing Cisco cryptographic products may be found at:
% d# X6 ?+ o0 b, G2 m* Y# _
) H1 Q+ H" n! g
$ M' f" r  P$ y7 F6 f, NIf you require further assistance please contact us by sending email to
.

$ S; G* E! d9 N7 V9 DCisco 2821 (revision 53.51) with 514048K/10240K bytes of memory.
Processor board ID FTX0902D0SB
2 Gigabit Ethernet interfaces
8 m# [+ ~5 ?: ?2 ^$ D$ zDRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
: @+ X, E% d! t9 {$ K( J62720K bytes of ATA CompactFlash (Read/Write)
- \" s( a- V9 y3 b7 }3 L6 M
Configuration register is 0x2102
1 T7 D  V+ W- k, D: y
# S- M5 e; x" S# @& ?  Cviv#

cisco设备在启用nat后都可以ping得通，只要路由正常；
* X% u1 x* t* G& }& _如果想不让cisco设备进行自动arp应答，可以使用 no-alias ；

不错不错，楼主您辛苦了。。。

没看完~~~~~~ 先顶，好同志

写的真的很不错

小手一抖，金币到手！