思科2821路由器出现的怪现象求大家帮看一下,谢谢~~!

viv#sh run
* o, {' W5 H6 G, t* O4 PBuilding configuration...

Current configuration : 1676 bytes
!
9 V, g) D5 @! T1 g8 P" B  Vversion 12.4
service timestamps debug datetime msec
, J, ~* b) C' F0 _& B, Z: _service timestamps log datetime msec
service password-encryption
!
hostname viv
/ k" e) G9 ]  S* i6 `: B. b!
boot-start-marker
boot-end-marker
, t: u/ P" l: s! F0 `+ Q!
- }5 @( d0 ]2 Xenable password 7 020706585A545C6D
!
no aaa new-model
!
resource policy
  d1 b4 R& X4 N* V: b4 X: b2 h: c0 `!
!
1 `2 V" b" E3 P, d!
0 B- K' Z4 j1 d# Dip cef
" ], k* H3 A+ y; _# C!
( S" e1 K' B* X* c' w" R/ H!
/ s( D7 q4 w/ ^# Z/ H!
voice-card 0
no dspfarm
!
!
9 h; A5 c+ d4 z; t' u!
/ Q  t; l1 g3 d; o7 m8 V!
!
$ v! G  a' G& z0 ]!
. d' W6 O; D" a6 \!
!
" u9 c# t* v! z" {1 H!
!
!
. e# {5 A- C3 J8 \) F$ {6 S!
!
!
4 |! B& T! U- |, l# h( a!
8 y: k- E+ w1 o- _, j!
!
+ s. n2 [; R9 m5 r!
2 O- l, b5 j5 p, Y( K! B& ]!
0 m' D0 B/ ]$ @2 v8 P' W6 Z!
interface GigabitEthernet0/0
ip address 172.30.30.18 255.255.255.252
ip nat outside
7 K( K. {, \, `4 T) P) [ duplex auto
+ ^7 \- I; a5 n- V) J" E0 T speed auto
0 R3 x3 U2 B% x. \* c# b!
interface GigabitEthernet0/1
) s% y0 j, Z. u! R* q! G( s3 @& C ip address 211.111.226.145 255.255.255.248 secondary
; {/ o  j0 L# X2 _4 q8 F, ~8 T ip address 124.190.155.113 255.255.255.248 secondary
1 }$ c4 g, y7 J: K5 x) q! R1 g6 G$ L4 o! i ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.70
ip accounting output-packets
6 H' D4 a, i. E$ p ip nat inside
; L/ Z  w& i' r/ A& j, R duplex auto
speed auto
5 m) n) E9 d1 Q& Q2 y0 L!
ip route 0.0.0.0 0.0.0.0 172.30.30.17
!
!
6 e1 n" N1 U7 y- e1 [- [- pno ip http server
no ip http secure-server
ip nat pool viv 211.111.226.150 211.111.226.150 netmask 255.255.255.252
. |: H6 K. H" }  X3 {ip nat inside source list 1 pool viv overload
ip nat inside source static tcp 192.168.1.76 443 124.190.155.114 443 extendable
ip nat inside source static tcp 192.168.1.70 3389 124.190.155.115 3389 extendabl
3 _2 K5 P+ i% M5 e0 ye
) l& c: d# r. i' J# n0 v) k6 d2 Iip nat inside source static tcp 192.168.1.77 5756 124.190.155.116 5756 extendabl
e
4 L' `4 Z. p0 h  R0 x" r- eip nat inside source static tcp 192.168.1.74 25 124.190.155.117 25 extendable
ip nat inside source static tcp 192.168.1.74 110 124.190.155.117 110 extendable
ip nat inside source static tcp 192.168.1.74 443 124.190.155.117 443 extendable
; u. H* v/ M/ X# O9 k4 n6 w( p5 fip nat inside source static tcp 192.168.1.75 80 124.190.155.118 80 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
/ R6 o/ `& f+ s2 I% m!
!
!
  V( [7 a5 A* B5 C!
!
!
" {3 D* v6 `2 Z$ C! h+ J# ?) ]; R!
+ L$ v4 f: N9 L6 C!
9 ?* P- E1 L7 a  m0 [  T$ D!
* ~0 w# `$ \# b; iline con 0
/ L; v* U6 m/ F! yline aux 0
line vty 0 4
2 r$ k% J2 z) F, j2 g# [ password 7 08204E4D584B565B
login
!
scheduler allocate 20000 1000
/ ~' |5 y8 H0 A5 r% E!
8 |" E+ I2 w& [4 C7 d8 H# S1 gend

$ B0 d% ^5 E2 Y7 ^  ^0 U! oviv#
' g6 P! w2 [! e% s: N
事情是这样的,用户有几台服务器需要外网访问,上边是用户的路由器配置,G0/0为外口,G0/1为内口,用户有两段各8个公网IP地址,与ISP用的4个私网地址互联,上联ISP端为华为5700三层交换机,路由设置为
ip route-static 124.190.155.112 255.255.255.248 172.30.30.18
% d$ p! Z. x* f' g! {ip route-static 211.111.226.144 255.255.255.248 172.30.30.18
9 i( e  T3 A8 k9 B目前用户内网有两台可用服务器,IP地址分别为192.168.1.70和192.168.1.77,开启远程桌面连接服务,192.168.1.70用的124.190.155.115作的TCP3389端口映射,而192.168.1.77用的124.190.155.116作的TCP5756端口映射,都可以正常连接,后边的几个地址作好了映射但是服务器没有到位,现在发现一个问题,我在外网(与用户的ISP不是同一个ISP)测试这些地址,发现只有124.190.155.113到116可以ping通,而ping124.190.155.117丢包非常严重,124.190.155.118则根本不通,ping211.111.226.145和当前地址池里的211.111.226.150也可以ping通,如果把124.190.155.118作一地址池则124.190.155.118也可以ping通,本以为没接服务器不能ping通,但是发现124.190.155.114也没有接服务器则可以ping通,不知此问题出在什么地方.把上边远程桌面的124.190.155.116改为124.190.155.118让此服务器通过124.190.155.118则无法打开远程连接.ISP方面也查过上端路由指向及是否存在垃圾路由但均显示是正常的.
7 o; x( ~% A8 k# a6 X用户物理结构从ISP华为5700通过一对单模双芯光转换器接到一台H3C的两层交换机再到一台锐捷两层交换机,交换机间使用trunk加VLAN方式连接,在锐捷两层交换机端口上作的限速(用户10M带宽),锐捷设备端对应用户端口接了一点对点微波设备无线打到用户端15楼,再背对背接另一套无线策波设备打到用户端.
这个问题困扰了用户和ISP很久一直未能解决,开始时包括用户网关的所有地址外网均无法ping通,路由器远程也无法telnet,但后来不知怎么这些好了,但是124.190.155.118还是不行,但用户普通上网一直是正常的.上传下载速率也够,ping外网也不丢包....好奇怪.......

更正一下,用户的路由器型号我弄错了,是思科2821,不是2811........
为了尊重用户,用户的公网地址我在这里稍作了些改变.

又发现一个情况,在用户路由器上ping不通124.190.155.118,sh arp也看不到此地址的MAC,其他的地址都可以ping通也能看到MAC地址,clear arp过也不行!
2 M7 T( c1 f2 h" z0 q
viv#ping 124.190.155.118

) q& i7 ]) o( g# MType escape sequence to abort.
6 t3 `% c- K3 @& ]' w1 [: l( U' tSending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
.....
7 O/ _' \' P- iSuccess rate is 0 percent (0/5)
8 o0 K3 o; b8 u% F) d" Aviv#
' j+ h% A7 D- l1 x$ s4 ]* h" c6 \
, T1 z! z; c' @+ V, u  A8 L2 C" `但是其他 的地址全可以通.....
/ b7 o* v) k( x; ^* Kviv#ping 124.190.155.117

Type escape sequence to abort.
+ z. }1 n# H: k8 Z1 zSending 5, 100-byte ICMP Echos to 124.190.155.117, timeout is 2 seconds:
!!!!!
: |# I% B! K7 h- |( O4 o* ?0 RSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
viv#ping 124.190.155.116

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.116, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
& g% Q* T3 X, hviv#ping 124.190.155.115
; n+ e& q* q. F+ U9 m) B5 F* }! O
  y/ d, `  e2 |  z  k9 nType escape sequence to abort.
* @( Q7 b# G6 ~3 H" D  MSending 5, 100-byte ICMP Echos to 124.190.155.115, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#ping 124.190.155.114
. l4 G, \5 o+ i
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.114, timeout is 2 seconds:
" ^/ v; J9 C/ u3 w!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
viv#
& `  i1 L; B! X! |( ~viv#ping 211.111.226.150

( h: F* p# \/ E# k1 o  @3 NType escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 211.111.226.150, timeout is 2 seconds:
3 Y. L7 G- H8 w- c8 a) w- t+ I; C!!!!!
% e, J' G. m& i' V3 O! Y- \! V6 iSuccess rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
viv#

汗,我刚才试着把124.190.155.118那条静态映射删除重新写了下,在路由器里可以ping通了,但是从外网仍ping不通,之前操作是我把124.190.155.118放到地址池里作转换从外网可以ping通,但放回静态映射后从外网就不通了~~~
( P) b( N7 f- d* ^: f" n% ?& ^- {
2 t& ]" d7 P- G; F; Q2 {- s; C! Bviv#ping 124.190.155.118
% }) u& t4 n/ u! p; a- O, {% B
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 124.190.155.118, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
1 I3 t, O" u% W7 |+ a4 E- H
4 |3 h8 O* ?' U会是用户路由器本身的问题么?
用户表示他换过一台路由器了也没什么效果.
下面是用户路由器版本信息
viv# sh ver
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(6)T7, R
ELEASE SOFTWARE (fc5)
# k% W2 Y" d+ Z% m  _Technical Support:
( b" l3 `+ t; N) o8 b& nCopyright (c) 1986-2007 by Cisco Systems, Inc.
8 h9 f, k& x& e. D- ?# NCompiled Thu 29-Mar-07 05:08 by khuie

ROM: System Bootstrap, Version 12.4(13r)T6, RELEASE SOFTWARE (fc1)
. }; r9 r. |5 W3 m% f0 ]7 ~) D% a" n: N
$ F! `% V. F* [8 s. f& M3 eviv uptime is 1 week, 11 hours, 54 minutes
" n  u; G1 q0 U; R" m3 ZSystem returned to ROM by reload at 02:13:17 UTC Tue Jul 16 2013
System image file is "flash:c2800nm-spservicesk9-mz.124-6.T7.bin"

( [  p: q$ ]& @1 W1 a
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
" z  l0 a$ C; c  ]) d+ R+ `3 w  Buse. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
5 [3 Y' e) E- {' J+ t# z, i' fImporters, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
& b4 T9 o( r# v( _) m' m6 K3 Vagree to comply with applicable laws and regulations. If you are unable
) }7 ]+ f. z% h9 m" Yto comply with U.S. and local laws, return this product immediately.
4 \, E* Z4 a3 f% v) b' Y8 N
A summary of U.S. laws governing Cisco cryptographic products may be found at:

- A5 r9 r: x2 F- t, K" Y4 s
If you require further assistance please contact us by sending email to
.

Cisco 2821 (revision 53.51) with 514048K/10240K bytes of memory.
/ a( D( r1 f/ I+ V7 I' s. I# ~Processor board ID FTX0902D0SB
2 Gigabit Ethernet interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
$ j4 a# |! X' v. b$ b
Configuration register is 0x2102
% l2 ?- b% a8 Q% j- b+ ~( ~$ i
viv#

cisco设备在启用nat后都可以ping得通，只要路由正常；
如果想不让cisco设备进行自动arp应答，可以使用 no-alias ；

不错不错，楼主您辛苦了。。。

没看完~~~~~~ 先顶，好同志

写的真的很不错

小手一抖，金币到手！