After static NAT and ACL ping not successful towards customer router

thukuthed · ‎06-06-2017

Hi I workk for an ISP and have just implemented NAT and ACL and when i try to ping customer router I'm not able to reach it from my edge router which is connected to customer.

Customer Configuration below:

ip nat pool ICTD 10.10.10.1 10.10.10.2 netmask 255.255.255.252
ip nat inside source list 23 pool ICTD overload
ip nat inside source static 192.168.0.5 10.10.10.1

10.10.10.1 10.10.10.2 is public-ip range 1st ip is same as in static nat public-ip

ACL configurations

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

Julio E. Moisa · ‎06-06-2017

What about if the following line is included:

access-list 110 permit icmp any any

or

access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

Are you making ping to the interface directly connected from your router? is the ACL configured on your side, right?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

thukuthed · ‎06-06-2017

Yes i'm making ping from my router directly connected to customer.ACLis configured on client my router there is no ACL.Okay let try the above configs you gave.

Julio E. Moisa · ‎06-07-2017

are you using VRF under the interface facing to the client?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

thukuthed · ‎06-07-2017

No VRF on interface its just a subinterface.

Julio E. Moisa · ‎06-07-2017

do you see the mac address of the neighbor interface with ARP from your router? I think you already remove the ACL and the same history, right?

are you trying to ping the ip 10.10.10.1? or what is the destination? , what is the IP under the client interface?

Is possible to know the configuration of your interface and interface on the client side?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

thukuthed · ‎06-09-2017

ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25 worked. after reloading the router.

Thanks guys

Julio E. Moisa · ‎06-09-2017

Thank you for the update.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎06-09-2017

You should not have needed a reload just a clearing of the translation but glad to hear it is working.

Jon

thukuthed · ‎06-11-2017

Yeah, i tried clearing translation returned an error. so ended up reloading

cofee · ‎06-07-2017

I am not sure if you have control over the remote router but they might have an access list configured on the wan interface that blocks icmp. We have the same set up and for testing we have to remove the ACL so the isp router can ping our outside address.

thukuthed · ‎06-07-2017

i have control on the remote router i manage it. ACL which is there is

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

cofee · ‎06-07-2017

Thanks for your reply. Can you create an access list with NATed address as the source and remote router's wan address, and then debug the access list on remote router? you can try this on both sides to confirm if icmp packets are even reaching to the end point. You may have already tried this.

thukuthed · ‎06-07-2017

ok will get back let me ceate ACL as you suggests

thukuthed · ‎06-07-2017

ACL should be permit icmp or permit ip