思科2821路由器出现的怪现象求大家帮看一下,谢谢~~!

viv#sh run
Building configuration...
  z. X, T6 z$ M
Current configuration : 1676 bytes
!
2 j, q  {% Z4 d4 v' C  E1 oversion 12.4
- D& V! Y) e  k; F' x& {3 gservice timestamps debug datetime msec
6 ^9 W- h0 q2 Vservice timestamps log datetime msec
3 e- L) }( o5 \" M& _7 S- Kservice password-encryption
!
hostname viv
!
# F2 P! Q, j8 r- @0 f( H& @boot-start-marker
boot-end-marker
!
7 x. c5 j! s3 R' F8 ^) w1 H/ C- E2 Renable password 7 020706585A545C6D
!
% N6 Z/ L. _1 ~, v/ zno aaa new-model
& K/ s6 ~  [: k!
resource policy
!
( l3 l0 l+ Y) ^' F5 K. ?& o# Q!
7 }( u* ?, p) ~+ i, g6 r2 k/ b!
( G" [% g/ x5 u! tip cef
; |6 L. ]( J( i7 Q' o5 A% b+ m!
& t# C* I9 V8 w# a!
. x" Y' i* @0 ~% o/ G$ U% a!
9 a  O; S6 ]1 qvoice-card 0
2 m! V2 P  O( K& q% G no dspfarm
!
!
!
! z" g5 s4 W+ R* @7 O; B!
!
4 }( }5 @* p# G! c!
!
!
+ {: _6 k- q3 L; L0 ~!
!
8 y' ]' L( g; x2 W!
! q1 j0 c& G) t!
: A1 O2 s% z* j& O) t9 g!
!
$ Q% t" B/ K+ b- V8 _% y1 R!
3 ?  y# B" N* m* h2 b# v!
!
!
- K4 V5 G2 o$ Z!
!
; I3 [4 r" Z, q' v% h. U4 H, vinterface GigabitEthernet0/0
ip address 172.30.30.18 255.255.255.252
ip nat outside
9 A4 _% E. K. {; R5 j duplex auto
speed auto
) ~7 o  \5 N: i, t* H0 I% p!
, c6 e  g, ~, _$ H* E" D( P6 L: Sinterface GigabitEthernet0/1
) q- I8 b' G% x3 z ip address 211.111.226.145 255.255.255.248 secondary
! V8 q' p; _* \8 N2 L: U" R ip address 124.190.155.113 255.255.255.248 secondary
" @  N, {0 x. c" I: D0 r" Z: w5 ~5 } ip address 192.168.1.1 255.255.255.0
5 a: L6 ~( M8 S+ }. A ip helper-address 192.168.1.70
ip accounting output-packets
3 c$ J' A& d' W8 ^/ m( E ip nat inside
duplex auto
9 E7 l+ [2 E, U( d, }- @ speed auto
- V& r+ n# f# I/ t! g2 {! `) Y. l!
" c8 ?/ ^0 P5 m! r5 }6 zip route 0.0.0.0 0.0.0.0 172.30.30.17
1 H  a/ J4 d: \  B: }* B( }' f* K! w!
4 M1 R8 F$ ~9 h4 A!
; q& J  z1 A% S* d) kno ip http server
5 j4 l1 \6 g; [4 Q' v) vno ip http secure-server
5 {$ O  V. \4 L: d  u: a& P8 V$ cip nat pool viv 211.111.226.150 211.111.226.150 netmask 255.255.255.252
ip nat inside source list 1 pool viv overload
7 t9 F+ i: v! L0 M& k, y; D( a4 Z) o; ]  aip nat inside source static tcp 192.168.1.76 443 124.190.155.114 443 extendable
ip nat inside source static tcp 192.168.1.70 3389 124.190.155.115 3389 extendabl
e
0 ]9 O5 `7 n1 _) ~; d4 eip nat inside source static tcp 192.168.1.77 5756 124.190.155.116 5756 extendabl
e
1 K% R9 s0 G  P- U; q9 qip nat inside source static tcp 192.168.1.74 25 124.190.155.117 25 extendable
/ p3 d4 r+ x4 _& S7 Gip nat inside source static tcp 192.168.1.74 110 124.190.155.117 110 extendable
: P: e  C. l( Yip nat inside source static tcp 192.168.1.74 443 124.190.155.117 443 extendable
! p1 k+ H: v: Q' Xip nat inside source static tcp 192.168.1.75 80 124.190.155.118 80 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
5 C/ ?; a& H& h; k$ u5 `* Z, ]4 m5 `!
!
/ T4 d8 ~% Q  mcontrol-plane
!
, }# y* I( K' E" a# j!
!
. D6 J, e6 b* t: q$ }; ~!
!
!
!
5 R3 U6 O+ A& [( e; h- q!
, }  c' G/ m# q8 {) M6 W0 `8 f# u!
; X! A9 ], v, m  uline con 0
line aux 0
line vty 0 4
password 7 08204E4D584B565B
+ u( v$ l, f3 ]8 }6 J* o login
!
; j: U, \9 \& u1 }scheduler allocate 20000 1000
!
end

7 _; i/ ^9 p* [  y0 D* T9 _7 U; {viv#
/ v  E9 t! k, C* |
2 {: h& |* o/ K' n. x. s2 m+ u事情是这样的,用户有几台服务器需要外网访问,上边是用户的路由器配置,G0/0为外口,G0/1为内口,用户有两段各8个公网IP地址,与ISP用的4个私网地址互联,上联ISP端为华为5700三层交换机,路由设置为
1 r' e/ x6 }) E9 L& T- _, p4 yip route-static 124.190.155.112 255.255.255.248 172.30.30.18
ip route-static 211.111.226.144 255.255.255.248 172.30.30.18
目前用户内网有两台可用服务器,IP地址分别为192.168.1.70和192.168.1.77,开启远程桌面连接服务,192.168.1.70用的124.190.155.115作的TCP3389端口映射,而192.168.1.77用的124.190.155.116作的TCP5756端口映射,都可以正常连接,后边的几个地址作好了映射但是服务器没有到位,现在发现一个问题,我在外网(与用户的ISP不是同一个ISP)测试这些地址,发现只有124.190.155.113到116可以ping通,而ping124.190.155.117丢包非常严重,124.190.155.118则根本不通,ping211.111.226.145和当前地址池里的211.111.226.150也可以ping通,如果把124.190.155.118作一地址池则124.190.155.118也可以ping通,本以为没接服务器不能ping通,但是发现124.190.155.114也没有接服务器则可以ping通,不知此问题出在什么地方.把上边远程桌面的124.190.155.116改为124.190.155.118让此服务器通过124.190.155.118则无法打开远程连接.ISP方面也查过上端路由指向及是否存在垃圾路由但均显示是正常的.
" ]: e5 o/ o0 D7 e用户物理结构从ISP华为5700通过一对单模双芯光转换器接到一台H3C的两层交换机再到一台锐捷两层交换机,交换机间使用trunk加VLAN方式连接,在锐捷两层交换机端口上作的限速(用户10M带宽),锐捷设备端对应用户端口接了一点对点微波设备无线打到用户端15楼,再背对背接另一套无线策波设备打到用户端.
这个问题困扰了用户和ISP很久一直未能解决,开始时包括用户网关的所有地址外网均无法ping通,路由器远程也无法telnet,但后来不知怎么这些好了,但是124.190.155.118还是不行,但用户普通上网一直是正常的.上传下载速率也够,ping外网也不丢包....好奇怪.......

更正一下,用户的路由器型号我弄错了,是思科2821,不是2811........
为了尊重用户,用户的公网地址我在这里稍作了些改变.

又发现一个情况,在用户路由器上ping不通124.190.155.118,sh arp也看不到此地址的MAC,其他的地址都可以ping通也能看到MAC地址,clear arp过也不行!

viv#ping 124.190.155.118
( m# t% P! u$ L
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
.....
0 K( D: q; V5 `Success rate is 0 percent (0/5)
- t7 U' J2 k/ I% Pviv#
) D+ I$ F! q. i7 e! x8 q5 w; B8 j) f
但是其他 的地址全可以通.....
4 ]% b5 e5 ~+ E1 K3 {  eviv#ping 124.190.155.117

5 v! b  e6 V" A, V* q& D8 p% D/ HType escape sequence to abort.
9 Q1 [' `+ M. B) w" @* C% o/ LSending 5, 100-byte ICMP Echos to 124.190.155.117, timeout is 2 seconds:
' ^' t" j- j: w* K- N!!!!!
" ]& O3 n0 d. y* N2 hSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
4 U& T7 O, q: x- I6 [1 Lviv#ping 124.190.155.116

' M" a! s' V& l& ?. rType escape sequence to abort.
4 A, \& d/ W7 `1 wSending 5, 100-byte ICMP Echos to 124.190.155.116, timeout is 2 seconds:
3 I) Z  z5 t3 a5 Z' i!!!!!
. V" n3 T7 d6 s9 T( E. V$ e4 FSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
) r  ~3 Q. _% x" }viv#ping 124.190.155.115

" ]9 H2 `- z- A) c8 u/ iType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.115, timeout is 2 seconds:
0 D6 Q2 j; ?& S+ Q' P  ~!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
6 }' t, i! A' C# Xviv#ping 124.190.155.114
% G* |/ s3 ]8 |3 V8 |
4 J, z/ X. F: }  o, F- [+ kType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.114, timeout is 2 seconds:
!!!!!
9 b  G6 ~. _6 l8 t% O5 R" _Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
: [$ d# _" l% ~1 {8 y7 b% }9 K! H* Cviv#
viv#ping 211.111.226.150

0 n, y  B4 O4 ~+ F! Z7 UType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.111.226.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
( w, y2 R( b# o# mviv#

汗,我刚才试着把124.190.155.118那条静态映射删除重新写了下,在路由器里可以ping通了,但是从外网仍ping不通,之前操作是我把124.190.155.118放到地址池里作转换从外网可以ping通,但放回静态映射后从外网就不通了~~~

viv#ping 124.190.155.118
$ [9 P" X, V; [+ e+ B4 p1 E2 h+ S
Type escape sequence to abort.
/ s2 G9 e3 X4 {" xSending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
" F2 w7 A) ^! j/ O
会是用户路由器本身的问题么?
2 q- B! \' f3 x- [  R" H7 u用户表示他换过一台路由器了也没什么效果.
: R* G* Z9 T0 X: r下面是用户路由器版本信息
: ]) s7 k6 l/ Rviv# sh ver
0 Z' @; i2 C6 w2 CCisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(6)T7, R
ELEASE SOFTWARE (fc5)
Technical Support:
( s3 r) f0 c! @Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 29-Mar-07 05:08 by khuie

" S. H+ Z8 i8 g: pROM: System Bootstrap, Version 12.4(13r)T6, RELEASE SOFTWARE (fc1)

viv uptime is 1 week, 11 hours, 54 minutes
7 ~1 D/ m9 v; R: E$ G2 t: }& p- w/ i2 OSystem returned to ROM by reload at 02:13:17 UTC Tue Jul 16 2013
System image file is "flash:c2800nm-spservicesk9-mz.124-6.T7.bin"

# ~" F# b. n6 R' G  o
& Y% @3 {& @% V6 q1 CThis product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
' `) l+ h- V( H) i6 Y" Q/ suse. Delivery of Cisco cryptographic products does not imply
- ]7 t# }" I4 e2 ^. b- F0 }  Cthird-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
% N6 ?# o( R/ ccompliance with U.S. and local country laws. By using this product you
3 [8 B( B4 `+ U: V# |3 iagree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
$ k4 }$ g" B: S8 _% W1 A
. _6 p5 D- S& K6 R1 [- pA summary of U.S. laws governing Cisco cryptographic products may be found at:


* V% G1 k; `9 ]; Q/ g5 |3 iIf you require further assistance please contact us by sending email to
+ w- i9 a( i+ q) c.
, b; ~/ ~9 `  k0 c
# M' h, r: P+ o9 W2 z1 SCisco 2821 (revision 53.51) with 514048K/10240K bytes of memory.
Processor board ID FTX0902D0SB
/ U. X& k+ D& s3 L6 T" y2 Gigabit Ethernet interfaces
0 k, ?9 p; k8 }, y$ c1 EDRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
# f2 o3 V$ f0 A8 f8 t
viv#

cisco设备在启用nat后都可以ping得通，只要路由正常；
如果想不让cisco设备进行自动arp应答，可以使用 no-alias ；

不错不错，楼主您辛苦了。。。

没看完~~~~~~ 先顶，好同志

写的真的很不错

小手一抖，金币到手！