Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

After static NAT and ACL ping not successful towards customer router

Hi I workk for an ISP and have just implemented NAT and ACL and when i try to ping customer router I'm not able to reach it from my edge router which is connected to customer.

Customer Configuration below:

ip nat pool ICTD 10.10.10.1 10.10.10.2 netmask 255.255.255.252
ip nat inside source list 23 pool ICTD overload
ip nat inside source static 192.168.0.5 10.10.10.1

10.10.10.1 10.10.10.2 is public-ip range 1st ip is same as in static nat public-ip

ACL configurations

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

26 REPLIES
VIP Purple

What about if the following

What about if the following line is included:

access-list 110 permit icmp any any

or 

access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

Are you making ping to the interface directly connected from your router? is the ACL configured on your side, right?

Community Member

Yes i'm making ping from my

Yes i'm making ping from my router directly connected to customer.ACLis configured on client my router there is no ACL.Okay let try the above configs you gave.

VIP Purple

are you using VRF between you

are you using VRF under the interface facing to the client?

Community Member

No VRF on interface its just

No VRF on interface its just a subinterface.

VIP Purple

do you see the mac address of

do you see the mac address of the neighbor interface with ARP from your router? I think you already remove the ACL and the same history, right?

are you trying to ping the ip 10.10.10.1? or what is the destination? , what is the IP under the client interface?

Is possible to know the configuration of your interface and interface on the client side?

Community Member

ip nat inside source static

ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25 worked. after reloading the router.

Thanks guys

VIP Purple

Thank you for the update.

Thank you for the update.

Hall of Fame Super Blue

You should not have needed a

You should not have needed a reload just a clearing of the translation but glad to hear it is working.

Jon

Community Member

Yeah, i tried clearing

Yeah, i tried clearing translation returned an error. so ended up reloading

Silver

I am not sure if you have

I am not sure if you have control over the remote router but they might have an access list configured on the wan interface that blocks icmp. We have the same set up and for testing we have to remove the ACL so the isp router can ping our outside address.

Community Member

i have control on the remote

i have control on the remote router i manage it. ACL which is there is

access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any

Silver

Thanks for your reply. Can

Thanks for your reply. Can you create an access list with NATed address as the source and remote router's wan address, and then debug the access list on remote router? you can try this on both sides to confirm if icmp packets are even reaching to the end point. You may have already tried this.

Community Member

ok will get back let me ceate

ok will get back let me ceate ACL as you suggests

Community Member

ACL should be permit icmp or

ACL should be permit icmp or permit ip

VIP Purple

you can include an any, it

you can include an any, it can be a standard ACL.

Silver

As Julio said you just need a

As Julio said you just need a standard acl. You can either use ip or icmp, it's just that icmp will be more specific.

Community Member

even with the commands you

even with the commands you gave me when i apply still no ping.it replies with timeout

Hall of Fame Super Blue

It's not clear what the

It's not clear what the problem is.

Are you saying you have applied acl 110 inbound to the interface on the customer router that connects to you ?

Perhaps if you could explain in a bit more detail.

Jon

Community Member

ISP Router>>>>>>>>>>>>>>>>>

ISP Router>>>>>>>>>>>>>>>>>>Customer Router>>>>>>>Customer LAN

ACL 110 is applied inbound on the WAN interface for customer.

I have a static NAT for Mail Server. and NAT Overload for internet access with two ip addresses. from the two ip addresses used to access internet i also use the other ip address for mail. i guess you get it now.

Thanks

Hall of Fame Super Blue

Is the WAN interface using

Is the customer WAN interface using either of the public IPs used in the NAT configuration ?

Jon

Community Member

Yes i have two NAT one with

Yes i have two NAT one with overload and another one with static one to one mapping. Yes the WAN interface IP address is mapped to a private IP using static NAT. The same public IP is used to NAT again is part of range used for internet access .

Thank you in advance

Hall of Fame Super Blue

If the IP on the WAN

If the IP on the WAN interface is 10.10.10.1 then this -

"ip nat inside source static 192.168.0.5 10.10.10.1"

could stop the ping working.

If that is for mail use a port translation instead ie. -

"ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25"

Jon

Community Member

Okay let me try that. will

Okay let me try that. will get back once done

Community Member

changed static nat as you

changed static nat as you suggested still not able to ping thru

Hall of Fame Super Blue

When you say ping through you

When you say ping through you do mean you are pinging the WAN interface IP ?

Did you check the translation table to make sure the old translation was cleared ?

If you are trying to ping the WAN IP then the acl is allowing IP so it really must be the NAT unless of course you have a basic connectivity problem which I am assuming you have checked.

Jon

Community Member

Yes Sir, basic connectivity

Yes Sir, basic connectivity has been checked, im pinging WAN IP here. after the change you suggested i cleared NAT translations.I also feel its NAT now since IP is allowed on ACL

64
Views
5
Helpful
26
Replies
CreatePlease to create content