×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

After static NAT and ACL ping not successful towards customer router

Unanswered Question
Jun 6th, 2017
User Badges:

Hi I workk for an ISP and have just implemented NAT and ACL and when i try to ping customer router I'm not able to reach it from my edge router which is connected to customer.

Customer Configuration below:

ip nat pool ICTD 10.10.10.1 10.10.10.2 netmask 255.255.255.252
ip nat inside source list 23 pool ICTD overload
ip nat inside source static 192.168.0.5 10.10.10.1

10.10.10.1 10.10.10.2 is public-ip range 1st ip is same as in static nat public-ip

ACL configurations

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Julio Moisa Tue, 06/06/2017 - 03:51
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Spanish Member's Choice, June 2017

What about if the following line is included:

access-list 110 permit icmp any any

or 

access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

Are you making ping to the interface directly connected from your router? is the ACL configured on your side, right?

thukuthed Tue, 06/06/2017 - 04:46
User Badges:

Yes i'm making ping from my router directly connected to customer.ACLis configured on client my router there is no ACL.Okay let try the above configs you gave.


Julio Moisa Wed, 06/07/2017 - 04:43
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Spanish Member's Choice, June 2017

are you using VRF under the interface facing to the client?


Julio Moisa Wed, 06/07/2017 - 06:37
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Spanish Member's Choice, June 2017

do you see the mac address of the neighbor interface with ARP from your router? I think you already remove the ACL and the same history, right?

are you trying to ping the ip 10.10.10.1? or what is the destination? , what is the IP under the client interface?

Is possible to know the configuration of your interface and interface on the client side?


thukuthed Fri, 06/09/2017 - 07:43
User Badges:

ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25 worked. after reloading the router.

Thanks guys


Julio Moisa Fri, 06/09/2017 - 07:48
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Spanish Member's Choice, June 2017

Thank you for the update.

Jon Marshall Fri, 06/09/2017 - 08:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You should not have needed a reload just a clearing of the translation but glad to hear it is working.

Jon

thukuthed Sun, 06/11/2017 - 23:59
User Badges:

Yeah, i tried clearing translation returned an error. so ended up reloading

thukuthed Wed, 06/07/2017 - 06:16
User Badges:

i have control on the remote router i manage it. ACL which is there is

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

Thanks for your reply. Can you create an access list with NATed address as the source and remote router's wan address, and then debug the access list on remote router? you can try this on both sides to confirm if icmp packets are even reaching to the end point. You may have already tried this.



thukuthed Wed, 06/07/2017 - 06:40
User Badges:

ok will get back let me ceate ACL as you suggests

Julio Moisa Wed, 06/07/2017 - 08:22
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Spanish Member's Choice, June 2017

you can include an any, it can be a standard ACL.

thukuthed Tue, 06/06/2017 - 04:49
User Badges:

even with the commands you gave me when i apply still no ping.it replies with timeout

Jon Marshall Tue, 06/06/2017 - 07:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It's not clear what the problem is.

Are you saying you have applied acl 110 inbound to the interface on the customer router that connects to you ?

Perhaps if you could explain in a bit more detail.

Jon

thukuthed Tue, 06/06/2017 - 23:40
User Badges:

ISP Router>>>>>>>>>>>>>>>>>>Customer Router>>>>>>>Customer LAN

ACL 110 is applied inbound on the WAN interface for customer.

I have a static NAT for Mail Server. and NAT Overload for internet access with two ip addresses. from the two ip addresses used to access internet i also use the other ip address for mail. i guess you get it now.


Thanks

Jon Marshall Wed, 06/07/2017 - 01:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Is the customer WAN interface using either of the public IPs used in the NAT configuration ?

Jon

thukuthed Wed, 06/07/2017 - 02:29
User Badges:

Yes i have two NAT one with overload and another one with static one to one mapping. Yes the WAN interface IP address is mapped to a private IP using static NAT. The same public IP is used to NAT again is part of range used for internet access .

Thank you in advance

Jon Marshall Wed, 06/07/2017 - 02:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If the IP on the WAN interface is 10.10.10.1 then this -

"ip nat inside source static 192.168.0.5 10.10.10.1"

could stop the ping working.

If that is for mail use a port translation instead ie. -

"ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25"

Jon

thukuthed Wed, 06/07/2017 - 03:24
User Badges:

changed static nat as you suggested still not able to ping thru

Jon Marshall Wed, 06/07/2017 - 03:32
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

When you say ping through you do mean you are pinging the WAN interface IP ?

Did you check the translation table to make sure the old translation was cleared ?

If you are trying to ping the WAN IP then the acl is allowing IP so it really must be the NAT unless of course you have a basic connectivity problem which I am assuming you have checked.

Jon

thukuthed Wed, 06/07/2017 - 06:10
User Badges:

Yes Sir, basic connectivity has been checked, im pinging WAN IP here. after the change you suggested i cleared NAT translations.I also feel its NAT now since IP is allowed on ACL

Actions

This Discussion