Example for Configuring Syslog Source Tracing for NAT Flexible Flows
This section provides an example for configuring syslog source tracing for flexible NAT flows. The log function can be used to record information about intranet users' access to external networks in real time, improving network maintainability. A networking diagram is provided to help you understand the configuration procedure.
Networking Requirements
In Figure 1, the NAT device (NAT1) performs the NAT function to help PCs within an enterprise network access the Internet. The NAT device uses GE 0/1/8 to connect to the enterprise network. The NAT device's GE 0/1/9 is connected to the Internet. The enterprise is assigned public IP addresses of 11.11.11.11/32 through 11.11.11.15/32.
- PCs only on the network segment of 192.168.10.0/24 can access the Internet.
- The syslog server can record the actions of users when they access Internet applications.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure basic NAT functions.
- Configure a NAT traffic diversion policy.
- Configure the syslog function for NAT flexible flows.
- Configure a routing policy to ensure that the syslog server is reachable.
- Verify the configuration.
Data Preparation
Index (1) of a service-location group
Name (group1) of a service instance group
NAT instance name (nat1) and index (1)
NAT1's NAT address pool name (address-group1), address pool number (1), a range of public IP addresses (11.11.11.11 through 11.11.11.15)
ACL number (3001)
Name (GE 0/1/9) and IP address (192.0.2.1/24) of an interface to which a NAT traffic diversion policy is applied
- NAT syslog host address (198.51.100.1) and port number (514), and NAT device's source IP address (192.0.2.1) and source port number (514)
Procedure
- Configure basic NAT functions.
- Configure a NAT traffic diversion policy on an outbound interface.
- Configure an ACL numbered 3001 and an ACL rule numbered 1 to allow only hosts on the network segment 192.168.10.0/24 to access the Internet.
[~NAT1] acl 3001 [*NAT1-acl4-advance-3001] rule 1 permit ip source 192.168.10.0 0.0.0.255 [*NAT1-acl4-advance-3001] commit [~NAT1-acl4-advance-3001] quit
- Bind ACL 3001 to NAT instance nat1 in the view of GE 0/1/9.
[~NAT1] interface gigabitEthernet 0/1/9 [~NAT1-GigabitEthernet0/1/9] ip address 192.0.2.1 24 [*NAT1-GigabitEthernet0/1/9] nat bind acl 3001 instance nat1 [*NAT1-GigabitEthernet0/1/9] commit [~NAT1-GigabitEthernet0/1/9] quit
- Configure an IP address for GE 0/1/8.
[~NAT1] interface gigabitEthernet 0/1/8 [~NAT1-GigabitEthernet0/1/8] ip address 192.168.10.1 24 [*NAT1-GigabitEthernet0/1/8] commit [~NAT1-GigabitEthernet0/1/8] quit
- Configure the syslog function for NAT flexible flows.
- Configure a static route to ensure that the syslog server is reachable. Set the next hop address of the route from the NAT device to the Internet to 192.0.2.2/24. (The routing policy needs to be configured based on the actual networking.)
[~NAT1] ip route-static 198.51.100.1 0.0.0.0 192.0.2.2 [*NAT1] commit
- Verify the configuration.# View the log format of the syslog template for NAT flexible flows.
[~NAT1] display nat syslog flexible session template Create Log: fixed_string<134> 1 timestamp_year timestamp_month_en timestamp_date timestamp_hour:timestamp_minute:timestamp_second host_ip app_name - scene:fixed_stringSessionbasedA [protocol source_ip - destination_ip source_port destination_port -] Example: <134> 1 2019 January 18 14:09:22 X.X.X.X cnelog - NAT444:SessionbasedA [17 X.X.X.X - X.X.X.X 1052 2000 -] Free Log: fixed_string<134> 1 timestamp_year timestamp_month_en timestamp_date timestamp_hour:timestamp_minute:timestamp_second host_ip app_name - scene:fixed_stringSessionbasedW [protocol source_ip - destination_ip source_port destination_port -] Example: <134> 1 2019 January 18 14:09:22 X.X.X.X cnelog - NAT444:SessionbasedW [17 X.X.X.X - X.X.X.X 1052 2000 -]
Configuration Files
NAT1 configuration file
# sysname NAT1 # service-location 1 location slot 1 # service-instance-group group1 service-location 1 # nat instance nat1 id 1 service-instance-group group1 nat address-group address-group1 group-id 1 section 1 11.11.11.11 11.11.11.15 nat log host 198.51.100.1 514 source 192.0.2.1 514 name NAT1 nat log session enable syslog # acl number 3001 rule 1 permit ip source 192.168.10.0 0.0.0.255 # interface GigabitEthernet 0/1/8 undo shutdown ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet 0/1/9 undo shutdown ip address 192.0.2.1 255.255.255.0 nat bind acl 3001 instance nat1 # nat syslog flexible template session nat position 0 fixed-string "<134> 1 " nat position 1 timestamp-year " " nat position 2 timestamp-month-en " " nat position 3 timestamp-date " " nat position 4 timestamp-hour ":" nat position 5 timestamp-minute ":" nat position 6 timestamp-second " " nat position 7 host-ip " " nat position 8 app-name " - " nat position 9 scene ":" nat position 10 fixed-string "SessionbasedA [" create nat position 10 fixed-string "SessionbasedW [" free nat position 11 protocol " " nat position 12 source-ip " - " nat position 13 destination-ip " " nat position 14 source-port " " nat position 15 destination-port " -]" # nat syslog descriptive format flexible template session # ip route-static 198.51.100.1 0.0.0.0 192.0.2.2 # return