02-04-2009 05:56 PM - edited 03-11-2019 07:46 AM
I have a problem in a router c2811.
This router has an Isdn access to a central site using a Bri interface (wic-1b-s/t-v3).
The router has the following IOS: c2800nm-spservicesk9-mz.123-8.T8.bin.
This same router has an Internet access using an Adsl interface and at same time has an Isdn access to a customer, a client. Behind this router I have a firewall, an ASA5520.
The configuration can be seen in one file attached to this.
The problem is like this,
In the ASA, the traffic that goes to the outside is nated with the ip address of the outside interface.
In the router, the traffic that goes to the internet are not nated, but the traffic to the customer has to be nated (the client asked to be like this) with the ip address of the Isdn connection.
If I make a connection test (a âpingâ) to the client internal network, from the ASA. I have no success. But if I do the same test in the router (with source in the internal interface of the router) I have success.
What I can see is that the packets are coming from the ASA and are going to the router internal interface. In the router they are nated and then are sent to the bri interface.
They are then sanded to the client internal network.
The replay to the âpingâ is then sanded to my router (c2811), and I can still see this coming to my Bri interface.
The traffic, I mean, the destination ip address of the traffic is then translated to the ip address of the outside interface of the ASAâ¦
This last thing should be happening, but it's not.
Almost the times I don't succeed in âpingingâ the internal network of the client.
What I have in the ASA is:
ping outside 10.10.10.4 repeat 15
Type escape sequence to abort.
Sending 15, 100-byte ICMP Echos to 10.10.10.4, timeout is 2 seconds:
???!???????????
Success rate is 6 percent (1/15), round-trip min/avg/max = 310/310/310 ms
In the router I have this:
*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 113 permitted icmp 10.10.10.4 -> 172.172.172.70 (0/0), 12 packets
*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 114 permitted icmp 172.172.172.70 -> 10.10.10.4 (8/0), 15 packets
*Feb 3 22:58:13.044: %SEC-6-IPACCESSLOGDP: list 115 permitted icmp 10.10.10.4 -> 195.195.195.59 (0/0), 1 packet
In the ASA I have this routing:
route outside 0.0.0.0 0.0.0.0 195.195.195.57 1
route outside 172.172.172.98 255.255.255.255 195.195.195.57 1
Can some one help me?
I can not antherstand what is appening.
Thanks in advance,
Rui
02-05-2009 03:15 PM
A few comments...
I see on the router that you're doing NAT from the Fast0/0 to the Dialer0 for the traffic that goes
to the customer side (10.10.10.0/24).
The NAT ACL must be a permit IP (not recommended to use ICMP)
I have had problems with NAT when I use the work ''any'' in the ACL. Trying replacing ''any''
with the source network address where the traffic is coming from...
For example instead of having this:
access-list 112 permit icmp any 10.10.10.0 0.0.0.255
access-list 112 permit icmp any host 172.172.173.98
access-list 112 permit ip any 10.10.10.0 0.0.0.255
access-list 112 permit ip any host 172.172.173.98
access-list 112 deny ip any any
Try the following:
access-list 112 permit ip
Let me know if it works...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide