Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I can SSH from the outside but cannot ping ISP gateway from 2911

Hello all,

 

I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?

 

Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!

 

Current configuration : 1679 bytes
!
! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname StandbyGZ-2911
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name StandbyGZ.local
ip name-server 211.136.20.203
ip name-server 211.139.136.68
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FGL174410H9
!
!
username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
!
!
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description UPLINK TO CHINA MOBILE
 ip address 183.x.x.x 255.255.255.128
 ip access-group REMOTE-ADMIN-ACL in
 no ip redirects
 ip nat enable
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description CONNECTION TO LAN SWITCH 3650-CORE
 ip address 10.10.1.254 255.255.254.0
 no ip redirects
 ip nat enable
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 183.x.x.x
!
ip access-list standard LAN-NAT-ACL
 permit 10.10.0.0 0.0.1.255
!
ip access-list extended REMOTE-ADMIN-ACL
 permit tcp host 68.107.195.213 any eq 22 log
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
end

 


StandbyGZ-2911# sh ip int br
Interface                            IP-Address        OK?   Method      Status                  Protocol
GigabitEthernet0/0         unassigned        YES    NVRAM     administratively  down down
GigabitEthernet0/1         183.x.x.x             YES    NVRAM     up                         up
GigabitEthernet0/2         10.10.1.254       YES    NVRAM     up                         up
NVI0                                 183.x.x.x             YES    unset          up                         up

 


StandbyGZ-2911#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 183.233.184.129 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 183.233.184.129
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.0.0/23 is directly connected, GigabitEthernet0/2
L        10.10.1.254/32 is directly connected, GigabitEthernet0/2
      183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        183.x.x.x/25 is directly connected, GigabitEthernet0/1
L        183.x.x.x/32 is directly connected, GigabitEthernet0/1

4 REPLIES

Don't you have to define the

Don't you have to define the nat inside and outside interface?

Interface g0/1

ip nat outside

interface g0/2

ip nat inside

New Member

Hi Chris,That is what how I

Hi Chris,

That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. 

could it be the fact that you

could it be the fact that you have an ACL for ssh but you don't permit ICMP in?

ip access-list extended REMOTE-ADMIN-ACL
 permit tcp host 68.107.195.213 any eq 22 log

 

implicit deny?

I've never used that then, I

I've never used that then, I've used the nat inside outside and object based nat on Asa firewalls never using nvi0

163
Views
0
Helpful
4
Replies