cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2161
Views
0
Helpful
6
Replies

Unable to ping Ip Nat outside interface in core switch

khaleed00
Level 1
Level 1

Hi everybody,

 

I’m having problem with Ip NAT outside in my 6509 switch that connected directly to third party network (ARIS Network) not belonging to us. Please refer to network diagram below. Previously server in DC and DR can’t ping to 57.236.202.115 (according to ARIS Network this is their firewall ip address) but they can ping to 57.236.202.123 Gi1/15 interface in my switch that connected to ARIS Network and they also can ping to 57.1.27.49 in London.

Core Switch Network Diagram

 

The configurations in core switch G08 location at building A:

interface GigabitEthernet1/15

description TO ARIS NETWORK Building A

ip address 57.236.202.123 255.255.255.240

ip nat outside

udld port aggressive

 

ip nat inside source list 103 interface GigabitEthernet1/15 overload

ip route 57.1.27.49 255.255.255.255 57.236.202.115

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

 

And in core switch G07 location at building B:

interface GigabitEthernet1/11

description TO ARIS NETWORK Building B

ip address 57.236.202.126 255.255.255.240

ip nat outside

udld port aggressive

 

ip nat inside source list 103 interface GigabitEthernet1/11 overload

ip route 57.1.27.49 255.255.255.255 57.236.202.115

access-list 103 permit ip 10.10.11.0 0.0.0.255 any

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

 

 

With this ACL I can ping to 57.236.202.123(G08 Gi1/15), 57.236.202.126(G07 Gi1/11), 57.236.202.115(ARIS firewall) and also both server in DC and DR.  And ARIS Network can ping to my interface Gi1/15 – 57.236.202.123 and 57.236.202.126.

 

But neither ARIS network nor DC and DR can ping each other. They only can ping up to interface Gi1/15 57.236.202.123 at G08 and Gi1/11 57.236.202.126 at G07

 

One more thing server in DC and DR and ARIS Network can’t do a trace route to 57.236.202.115. When they do a trace route nothing appear except the asterisk symbol all the way.

 

With previous configuration:-

 

Servers DC and DR:

  • Can ping 57.236.202.123
  • Can ping 57.236.202.126
  • Can ping 57.1.27.49

 

What they can’t:-

  • Can’t do trace route from their servers
  • Can’t ping 57.236.202.115

 

To solve this issue I remove the existing ACL 103 and create new ACL 103 in Core switch G08 and Core switch G07 as follows:

 

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 permit ip 10.10.10.0 0.0.0.255 host 57.1.27.49 log

access-list 103 permit ip 10.10.11.0 0.0.0.255 host 57.1.27.49 log

access-list 103 permit ip 10.10.10.0 0.0.0.255 57.236.202.0 0.0.0.15 log

access-list 103 permit ip 10.10.11.0 0.0.0.255 57.236.202.0 0.0.0.15 log

access-list 103 permit ip 57.236.202.112 0.0.0.15 57.236.202.112 0.0.0.15 log

 

The result is all servers in DC and DR can ping 57.236.202.123 and 57.236.202.115.

 

On the contrary I can't ping my own interface from at core switch G08.

 

 I still manage to ping:-

  • 57.236.202.126(G07)
  • 57.236.202.115
  • 10.10.10.XX
  • 10.10.11.XX

 

Can’t ping

  • 57.236.202.123

 

However from G07 core switch I still can ping to:-

  • 57.236.202.123
  • 57.236.202.126
  • 57.236.202.115
  • 10.10.10.XX
  • 10.10.11.XX

 

From ARIS Network, they also can’t ping to 57.236.202.123 and still can’t ping to all the servers 10.10.10.XX and 10.10.11.XX at both sites.

 

 

  • Can’t ping 57.236.202.123
  • Can’t ping 10.10.10.XX
  • Can’t ping 10.10.11.XX
  • Can’t do trace route to servers.

 

 

I try to remove ACL - access-list 103 permit icmp any any echo and when I did this, from G08 I can ping:-

 

  • 57.236.202.123
  • 57.236.202.126
  • 57.236.202.115
  • 10.10.10.XX and 10.10.11.XX

 

However servers in DC and DR unable to ping 57.236.202.115 but still manage to ping 57.236.202.123 and 57.1.27.49

 

Hope somebody can help me to resolve this issue. My goal is to permit:

 

ARIS Network:

  • Can ping 10.10.10.XX
  • Can ping 10.10.11.XX
  • Can ping 57.236.202.123 and 126
  • Can do a trace route to both servers in DC and DR

 

Servers DC and DR:

  • Can ping 57.236.202.123
  • Can ping 57.236.202.126
  • Can ping 57.236.202.115
  • Can do trace route to 57.236.202.115

 

G08 and G07:

  • Can ping to all ip address mention above.
6 Replies 6

Hello.

Could you please hint, why do you us NAT?

Is "ARIS Network" is an Internet, or MPLS (private cloud) service?

If you want ARIS Network to ping your 10.x subnets, then you need just a routing with the AS, not NAT.

Hi thanks for responding,

FYI Aris Network is a third party network and is not in our control. They request us to use Ip NAT. ARIS Network is a service provider for baggage information.

Could you please explain further  what do you mean by a routing with the AS?

 

Hello.

If ARIS insists on NAT, they won't be able to reach 10.x addresses.

What I can't understand is why do you need to ping your own outside addresses (57.236.202.123 and 57.236.202.126) from inside!!?

Really it seams to me that the only thing you must be concerned of is reachability from DC/DR to ARIS NEtwork and London.

PS: if you had any office in London with similar configuration, I would configure GRE tunnels with native routing and won't worry about ARIS.

Hi Vasilii,

So it is not possible for ARIS network to reach 10.10.10.XX and 11.XX address if using Ip NAT?

I need to ping my interface because for troubleshooting purpose. If I can  ping or ARIS can ping my interface 57.236.202.XX meaning the interface is alive and not down. So if there is a problem with network we can reduce troubleshooting time.

Please refer to my first post....Like a mention in my first post...before I change the ACL, I and ARIS can ping to interface 57.236.202.XX after I change the configuration only server can ping to the interface.

We do not have office in London, It is ARIS who have office in London.

prajithtr_2
Level 1
Level 1

I think it's not possible to ping from ARIS network to the servers because of the PATconfiguration(if it was static nat we could perform it).from core switch to core switch try extended(with source address) and also check the routing(if it is L3 connectivity) between them.As you told 57.236.202.115 is firewall ip.So firewall may not be sending  icmp reply to the servers,that we need to check with ARIS.

 

Regard

Prajithtr

Hi Prajithir,

Thanks for responding,

I asked ARIS network but they told me they don't filter our ip address. I cannot confirm is it true or not because like I mention before ARIS Network is not in our "jurisdiction".frown

I just want make sure that everything is okay in our site so we can start to narrow down the problem.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco