Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
1
Replies

Problem with NAT.

rcapao
Level 1
Level 1

‎02-04-2009 05:56 PM - edited ‎03-11-2019 07:46 AM

I have a problem in a router c2811.

This router has an Isdn access to a central site using a Bri interface (wic-1b-s/t-v3).

The router has the following IOS: c2800nm-spservicesk9-mz.123-8.T8.bin.

This same router has an Internet access using an Adsl interface and at same time has an Isdn access to a customer, a client. Behind this router I have a firewall, an ASA5520.

The configuration can be seen in one file attached to this.

The problem is like this,

In the ASA, the traffic that goes to the outside is nated with the ip address of the outside interface.

In the router, the traffic that goes to the internet are not nated, but the traffic to the customer has to be nated (the client asked to be like this) with the ip address of the Isdn connection.

If I make a connection test (a “ping”) to the client internal network, from the ASA. I have no success. But if I do the same test in the router (with source in the internal interface of the router) I have success.

What I can see is that the packets are coming from the ASA and are going to the router internal interface. In the router they are nated and then are sent to the bri interface.

They are then sanded to the client internal network.

The replay to the “ping” is then sanded to my router (c2811), and I can still see this coming to my Bri interface.

The traffic, I mean, the destination ip address of the traffic is then translated to the ip address of the outside interface of the ASA…

This last thing should be happening, but it's not.

Almost the times I don't succeed in “pinging” the internal network of the client.

What I have in the ASA is:

ping outside 10.10.10.4 repeat 15

Type escape sequence to abort.

Sending 15, 100-byte ICMP Echos to 10.10.10.4, timeout is 2 seconds:

???!???????????

Success rate is 6 percent (1/15), round-trip min/avg/max = 310/310/310 ms

In the router I have this:

*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 113 permitted icmp 10.10.10.4 -> 172.172.172.70 (0/0), 12 packets

*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 114 permitted icmp 172.172.172.70 -> 10.10.10.4 (8/0), 15 packets

*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 115 permitted icmp 10.10.10.4 -> 195.195.195.59 (0/0), 1 packet

In the ASA I have this routing:

route outside 0.0.0.0 0.0.0.0 195.195.195.57 1

route outside 172.172.172.98 255.255.255.255 195.195.195.57 1

Can some one help me?

I can not antherstand what is appening.

Thanks in advance,

Rui

Labels:
22803-C2811_nat_problem_1
0 Helpful
1 Reply 1

fedecotofaja
Level 1
Level 1

‎02-05-2009 03:15 PM

A few comments...

I see on the router that you're doing NAT from the Fast0/0 to the Dialer0 for the traffic that goes

to the customer side (10.10.10.0/24).

The NAT ACL must be a permit IP (not recommended to use ICMP)

I have had problems with NAT when I use the work ''any'' in the ACL. Trying replacing ''any''

with the source network address where the traffic is coming from...

For example instead of having this:

access-list 112 permit icmp any 10.10.10.0 0.0.0.255

access-list 112 permit icmp any host 172.172.173.98

access-list 112 permit ip any 10.10.10.0 0.0.0.255

access-list 112 permit ip any host 172.172.173.98

access-list 112 deny ip any any

Try the following:

access-list 112 permit ip 10.10.10.0 0.0.0.255

Let me know if it works...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card