Re: Unable to ping the public IP from remote.

Beast6 · ‎03-14-2019

Hello,

My remote IP is 200.20.x.x network each private IP is nat inside with a public IP address into my core router. From my core, I was able to ping all the remote sites 200.20.x.x but unable to ping the public IP's. From my remote, I was not able to ping the public IP as well. How can resolve the issue because of one of my customer is asking that he want to ping the public IP associated with the remote from one of his public IP.

When I do the traceroute from the remote router is reaches my interface 10.10.2.4 and to the gateway 10.10.2.1 then it remains in the loop between those two. And when I ping the public IP

btc@Vision:~$ ping 57.68.x.x
PING 57.68.x.x (57.68.x.x) 56(84) bytes of data.
From 10.10.2.4 icmp_seq=1 Time to live exceeded
From 10.10.2.4 icmp_seq=2 Time to live exceeded
From 10.10.2.4 icmp_seq=3 Time to live exceeded

I posted my config below please advise how to resolve the issue.

Thanks in advance.

class-map type inspect match-any E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
match access-group name E_FW_OUTSIDE_TO_SLF_ACL_04
class-map type inspect match-any E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
match access-group name E_FW_SLF_TO_OUTSIDE_ACL_06
class-map type inspect match-all E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
match access-group name E_FW_INSIDE_TO_OUTSIDE_ACL_01
class-map type inspect match-any E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
match access-group name E_FW_OUTSIDE_TO_INSIDE_ACL_03
class-map type inspect match-any E_FW_INSIDE_TO_SLF_98_CLASS_MAP
match access-group name E_FW_INSIDE_TO_SLF_ACL_02
class-map type inspect match-any E_FW_SLF_TO_INSIDE_98_CLASS_MAP
match access-group name E_FW_SLF_TO_INSIDE_ACL_05
!
policy-map type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
class type inspect E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
inspect E_FW_GLOBAL_PARAMETER_MAP
class class-default
drop log
policy-map type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
class type inspect E_FW_INSIDE_TO_SLF_98_CLASS_MAP
pass
class class-default
drop log
--More-- policy-map type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
class type inspect E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
inspect E_FW_GLOBAL_PARAMETER_MAP
class class-default
drop log
policy-map type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
class type inspect E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
pass
class class-default
drop log
policy-map type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
class type inspect E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
pass
class class-default
drop log
policy-map type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
class type inspect E_FW_SLF_TO_INSIDE_98_CLASS_MAP
pass
class class-default
drop log
!
zone security E_FW_INSIDE_ZONE
description --- CUSTOMER_ZONE_ACCESS_SECURITY_ZONE
zone security E_FW_OUTSIDE_ZONE
description --- OUTSIDE ZONE_ACCESS_SECURITY_ZONE
zone-pair security E_FW_ZON_PAIR_INSIDE_TO_OUTSIDE source E_FW_INSIDE_ZONE destination E_FW_OUTSIDE_ZONE
description --- CUSTOMER_ZONE_INTERNET_ACCESS_ZONE_PAIRING
service-policy type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_INSIDE_TO_SLF source E_FW_INSIDE_ZONE destination self
description --- Customer LAN to Router originated traffic
service-policy type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_INSIDE source E_FW_OUTSIDE_ZONE destination E_FW_INSIDE_ZONE
description --- OUTSIDE ZONE_INTERNET_ACCESS_ZONE_PAIRING
service-policy type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_SLF source E_FW_OUTSIDE_ZONE destination self
description --- Public internet to router originated traffic
service-policy type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_INSIDE source self destination E_FW_INSIDE_ZONE
description --- Router originated traffic to customer LAN
service-policy type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_OUTSIDE source self destination E_FW_OUTSIDE_ZONE
description --- Router to IPSN
service-policy type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 10.100.100.1 255.255.255.255
zone-member security E_FW_INSIDE_ZONE
!
interface Tunnel0
ip address X.X.1.1 255.255.255.0
zone-member security E_FW_INSIDE_ZONE
ip ospf network point-to-point
ip ospf mtu-ignore
tunnel source X.X.90.1
tunnel destination X.X.X.X
tunnel protection ipsec profile BTCcisco20
!
interface Tunnel7
description BTC_Maersk_Seay_VPN_IPsec
ip address X.X.7.1 255.255.255.0
ip mtu 1436
zone-member security E_FW_INSIDE_ZONE
ip ospf network point-to-point
ip ospf dead-interval 40
ip ospf retransmit-interval 10
ip ospf transmit-delay 10
ip ospf mtu-ignore
keepalive 3600 3
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination X.X.22.34
tunnel protection ipsec profile BTCcisco20
!
interface Tunnel8
description
ip address X.X.8.1 255.255.255.0
ip mtu 1436
zone-member security E_FW_INSIDE_ZONE
ip ospf network point-to-point
ip ospf dead-interval 40
ip ospf retransmit-interval 10
ip ospf transmit-delay 10
ip ospf mtu-ignore
keepalive 3600 3
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
--More-- tunnel destination X.X.20.22
tunnel protection ipsec profile BTCcisco20
!
interface GigabitEthernet0/0/0
description Management_Interface
no ip address
ip nbar protocol-discovery
zone-member security E_FW_INSIDE_ZONE
negotiation auto
!
interface GigabitEthernet0/0/1
description
ip address 10.10.2.4 255.255.255.240
ip nat inside
zone-member security E_FW_INSIDE_ZONE
negotiation auto
vrrp 10 description MPLS_VRRP_MASTER
vrrp 10 ip 10.10.2.2
vrrp 10 timers advertise msec 300
vrrp 10 preempt delay minimum 10
vrrp 10 priority 110
vrrp 10 track 99 decrement 20
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
no ip address
zone-member security E_FW_OUTSIDE_ZONE
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2.700
encapsulation dot1Q 700 native
ip address X.X.90.4 255.255.255.240
ip nat outside
zone-member security E_FW_OUTSIDE_ZONE
vrrp 15 description INTERNET_VRRP_MASTER
vrrp 15 ip X.X.90.1
vrrp 15 timers advertise msec 300
vrrp 15 preempt delay minimum 10
vrrp 15 priority 110
vrrp 15 track 99 decrement 20
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
router ospf 1881
network X.X.7.0 0.0.0.255 area 0
network X.X.8.0 0.0.0.255 area 0
network X.X.1.0 0.0.0.255 area 0
!
ip nat inside source static tcp X.X.20.114 443 X.X.90.18 443 extendable
ip nat inside source static tcp X.X.20.114 514 X.X.90.18 514 extendable
ip nat inside source static udp X.X.20.114 514 X.X.90.18 514 extendable
ip nat inside source static tcp X.X.20.118 443 X.X.90.19 443 extendable
--More-- ip nat inside source static tcp X.X.20.118 514 X.X.90.19 514 extendable
ip nat inside source static udp X.X.20.118 514 X.X.90.19 514 extendable
ip nat inside source static tcp X.X.20.122 443 X.X.90.20 443 extendable
ip nat inside source static tcp X.X.20.122 514 X.X.90.20 514 extendable
ip nat inside source static udp X.X.20.122 514 X.X.90.20 514 extendable
ip nat inside source static tcp X.X.20.126 443 X.X.90.21 443 extendable
ip nat inside source static tcp X.X.20.126 514 X.X.90.21 514 extendable
ip nat inside source static udp X.X.20.126 514 X.X.90.21 514 extendable
ip nat inside source static tcp X.X.22.66 554 X.X.90.22 554 extendable
ip nat inside source static tcp X.X.22.66 9200 X.X.90.22 9200 extendable
ip nat inside source static tcp X.X.22.66 9201 X.X.90.22 9201 extendable
ip nat inside source static tcp X.X.22.50 443 X.X.90.23 443 extendable
ip nat inside source static tcp X.X.22.50 514 X.X.90.23 514 extendable
ip nat inside source static udp X.X.22.50 514 X.X.90.23 514 extendable
ip nat inside source static tcp X.X.20.42 443 X.X.90.24 443 extendable
ip nat inside source static tcp X.X.20.42 514 X.X.90.24 514 extendable
ip nat inside source static udp X.X.20.42 514 X.X.90.24 514 extendable
ip nat inside source static tcp X.X.20.62 443 X.X.90.25 443 extendable
ip nat inside source static tcp X.X.20.62 514 X.X.90.25 514 extendable
ip nat inside source static udp X.X.20.62 514 X.X.90.25 514 extendable
ip nat inside source static tcp X.X.20.98 554 X.X.90.26 554 extendable
ip nat inside source static tcp X.X.20.98 9200 X.X.90.26 9200 extendable
ip nat inside source static tcp X.X.20.98 22609 X.X.90.26 22609 extendable
ip nat inside source static udp X.X.20.98 22609 X.X.90.26 22609 extendable
ip nat inside source static tcp X.X.20.74 554 X.X.90.27 554 extendable
ip nat inside source static tcp X.X.20.74 9200 X.X.90.27 9200 extendable
ip nat inside source static tcp X.X.20.74 22609 X.X.90.27 22609 extendable
ip nat inside source static udp X.X.20.74 22609 X.X.90.27 22609 extendable
ip nat inside source static tcp X.X.20.82 554 X.X.90.28 554 extendable
ip nat inside source static tcp X.X.20.82 9200 X.X.90.28 9200 extendable
ip nat inside source static tcp X.X.20.82 22609 X.X.90.28 22609 extendable
ip nat inside source static udp X.X.20.82 22609 X.X.90.28 22609 extendable
ip nat inside source static tcp X.X.22.78 22609 X.X.90.29 443 extendable
ip nat inside source static tcp X.X.22.78 554 X.X.90.29 554 extendable
ip nat inside source static tcp X.X.22.78 9200 X.X.90.29 9200 extendable
ip nat inside source static tcp X.X.22.78 22609 X.X.90.29 22609 extendable
ip nat inside source static udp X.X.22.78 22609 X.X.90.29 22609 extendable
ip nat inside source static tcp X.X.20.26 554 X.X.90.30 554 extendable
ip nat inside source static tcp X.X.20.26 9200 X.X.90.30 9200 extendable
ip nat inside source static tcp X.X.20.26 22609 X.X.90.30 22609 extendable
ip nat inside source static udp X.X.20.26 22609 X.X.90.30 22609 extendable
ip nat inside source static tcp X.X.21.206 443 X.X.90.31 443 extendable
ip nat inside source static tcp X.X.21.206 514 X.X.90.31 514 extendable
ip nat inside source static udp X.X.21.206 514 X.X.90.31 514 extendable
ip nat inside source static tcp X.X.20.158 443 X.X.90.32 443 extendable
ip nat inside source static tcp X.X.20.158 514 X.X.90.32 514 extendable
ip nat inside source static udp X.X.20.158 514 X.X.90.32 514 extendable
ip nat inside source static tcp X.X.20.58 443 X.X.90.33 443 extendable
ip nat inside source static tcp X.X.20.58 514 X.X.90.33 514 extendable
ip nat inside source static udp X.X.20.58 514 X.X.90.33 514 extendable
ip nat inside source static tcp X.X.21.102 554 X.X.90.34 554 extendable
ip nat inside source static tcp X.X.21.102 9200 X.X.90.34 9200 extendable
ip nat inside source static tcp X.X.21.102 22609 X.X.90.34 22609 extendable
ip nat inside source static udp X.X.21.102 22609 X.X.90.34 22609 extendable
ip nat inside source static tcp X.X.20.70 554 X.X.90.35 554 extendable
ip nat inside source static tcp X.X.20.70 9200 X.X.90.35 9200 extendable
ip nat inside source static tcp X.X.20.70 22609 X.X.90.35 22609 extendable
ip nat inside source static udp X.X.20.70 22609 X.X.90.35 22609 extendable
ip nat inside source static tcp X.X.20.142 554 X.X.90.36 554 extendable
ip nat inside source static tcp X.X.20.142 9200 X.X.90.36 9200 extendable
ip nat inside source static tcp X.X.20.142 22609 X.X.90.36 22609 extendable
ip nat inside source static udp X.X.20.142 22609 X.X.90.36 22609 extendable
--More-- ip nat inside source static tcp X.X.20.138 554 X.X.90.37 554 extendable
ip nat inside source static tcp X.X.20.138 9200 X.X.90.37 9200 extendable
ip nat inside source static tcp X.X.20.138 22609 X.X.90.37 22609 extendable
ip nat inside source static udp X.X.20.138 22609 X.X.90.37 22609 extendable
ip nat inside source static tcp X.X.20.90 554 X.X.90.38 554 extendable
ip nat inside source static tcp X.X.20.90 9200 X.X.90.38 9200 extendable
ip nat inside source static tcp X.X.20.90 22609 X.X.90.38 22609 extendable
ip nat inside source static udp X.X.20.90 22609 X.X.90.38 22609 extendable
ip nat inside source static tcp X.X.20.106 554 X.X.90.39 554 extendable
ip nat inside source static tcp X.X.20.106 9200 X.X.90.39 9200 extendable
ip nat inside source static tcp X.X.20.106 22609 X.X.90.39 22609 extendable
ip nat inside source static udp X.X.20.106 22609 X.X.90.39 22609 extendable
ip nat inside source static tcp X.X.20.110 554 X.X.90.40 554 extendable
ip nat inside source static tcp X.X.20.110 9200 X.X.90.40 9200 extendable
ip nat inside source static tcp X.X.20.110 22609 X.X.90.40 22609 extendable
ip nat inside source static udp X.X.20.110 22609 X.X.90.40 22609 extendable
ip nat inside source static tcp X.X.21.222 554 X.X.90.41 554 extendable
ip nat inside source static tcp X.X.21.222 9200 X.X.90.41 9200 extendable
ip nat inside source static tcp X.X.21.222 22609 X.X.90.41 22609 extendable
ip nat inside source static udp X.X.21.222 22609 X.X.90.41 22609 extendable
ip nat inside source static tcp X.X.20.102 554 X.X.90.42 554 extendable
ip nat inside source static tcp X.X.20.102 9200 X.X.90.42 9200 extendable
ip nat inside source static tcp X.X.20.102 22609 X.X.90.42 22609 extendable
ip nat inside source static udp X.X.20.102 22609 X.X.90.42 22609 extendable
ip nat inside source static tcp X.X.20.94 554 X.X.90.43 554 extendable
ip nat inside source static tcp X.X.20.94 9200 X.X.90.43 9200 extendable
ip nat inside source static tcp X.X.20.94 22609 X.X.90.43 22609 extendable
ip nat inside source static udp X.X.20.94 22609 X.X.90.43 22609 extendable
ip nat inside source static tcp X.X.20.86 554 X.X.90.44 554 extendable
ip nat inside source static tcp X.X.20.86 9200 X.X.90.44 9200 extendable
ip nat inside source static tcp X.X.20.86 22609 X.X.90.44 22609 extendable
ip nat inside source static udp X.X.20.86 22609 X.X.90.44 22609 extendable
ip nat inside source static tcp X.X.21.242 554 X.X.90.50 554 extendable
ip nat inside source static tcp X.X.21.242 9200 X.X.90.50 9200 extendable
ip nat inside source static tcp X.X.21.242 22609 X.X.90.50 22609 extendable
ip nat inside source static udp X.X.21.242 22609 X.X.90.50 22609 extendable
ip nat inside source static tcp X.X.22.26 1610 X.X.90.51 1610 extendable
ip nat inside source static udp X.X.22.26 1610 X.X.90.51 1610 extendable
ip nat inside source static tcp X.X.22.26 1611 X.X.90.51 1611 extendable
ip nat inside source static udp X.X.22.26 1611 X.X.90.51 1611 extendable
ip nat inside source static tcp X.X.22.22 1610 X.X.90.52 1610 extendable
ip nat inside source static udp X.X.22.22 1610 X.X.90.52 1610 extendable
ip nat inside source static tcp X.X.22.22 1611 X.X.90.52 1611 extendable
ip nat inside source static udp X.X.22.22 1611 X.X.90.52 1611 extendable
ip nat inside source static tcp X.X.22.58 1610 X.X.90.53 1610 extendable
ip nat inside source static udp X.X.22.58 1610 X.X.90.53 1610 extendable
ip nat inside source static tcp X.X.22.58 1611 X.X.90.53 1611 extendable
ip nat inside source static udp X.X.22.58 1611 X.X.90.53 1611 extendable
ip nat inside source static tcp X.X.22.18 1610 X.X.90.54 1610 extendable
ip nat inside source static udp X.X.22.18 1610 X.X.90.54 1610 extendable
ip nat inside source static tcp X.X.22.18 1611 X.X.90.54 1611 extendable
ip nat inside source static udp X.X.22.18 1611 X.X.90.54 1611 extendable
ip nat inside source static tcp X.X.22.54 1610 X.X.90.55 1610 extendable
ip nat inside source static udp X.X.22.54 1610 X.X.90.55 1610 extendable
ip nat inside source static tcp X.X.22.54 1611 X.X.90.55 1611 extendable
ip nat inside source static udp X.X.22.54 1611 X.X.90.55 1611 extendable
ip nat inside source static tcp X.X.20.78 554 X.X.90.56 554 extendable
ip nat inside source static tcp X.X.20.78 9200 X.X.90.56 9200 extendable
ip nat inside source static tcp X.X.20.78 22609 X.X.90.56 22609 extendable
ip nat inside source static udp X.X.20.78 22609 X.X.90.56 22609 extendable
ip nat inside source static tcp X.X.22.122 554 X.X.90.57 554 extendable
ip nat inside source static tcp X.X.22.122 9200 X.X.90.57 9200 extendable
--More-- ip nat inside source static tcp X.X.22.122 22609 X.X.90.57 22609 extendable
ip nat inside source static udp X.X.22.122 22609 X.X.90.57 22609 extendable
ip nat inside source static tcp X.X.22.126 554 X.X.90.58 554 extendable
ip nat inside source static tcp X.X.22.126 9200 X.X.90.58 9200 extendable
ip nat inside source static tcp X.X.22.126 22609 X.X.90.58 22609 extendable
ip nat inside source static udp X.X.22.126 22609 X.X.90.58 22609 extendable
ip nat inside source static tcp X.X.22.134 554 X.X.90.59 554 extendable
ip nat inside source static tcp X.X.22.134 9200 X.X.90.59 9200 extendable
ip nat inside source static tcp X.X.22.134 22609 X.X.90.59 22609 extendable
ip nat inside source static udp X.X.22.134 22609 X.X.90.59 22609 extendable
ip nat inside source static tcp X.X.22.98 443 X.X.90.60 443 extendable
ip nat inside source static tcp X.X.22.98 514 X.X.90.60 514 extendable
ip nat inside source static udp X.X.22.98 514 X.X.90.60 514 extendable
ip nat inside source static tcp X.X.22.130 554 X.X.90.61 554 extendable
ip nat inside source static tcp X.X.22.130 9200 X.X.90.61 9200 extendable
ip nat inside source static tcp X.X.22.130 22609 X.X.90.61 22609 extendable
ip nat inside source static udp X.X.22.130 22609 X.X.90.61 22609 extendable
ip nat inside source static tcp X.X.21.142 554 X.X.90.62 554 extendable
ip nat inside source static tcp X.X.21.142 9200 X.X.90.62 9200 extendable
ip nat inside source static tcp X.X.21.142 22609 X.X.90.62 22609 extendable
ip nat inside source static udp X.X.21.142 22609 X.X.90.62 22609 extendable
ip nat inside source static tcp X.X.21.142 37777 X.X.90.62 37777 extendable
ip nat inside source static tcp X.X.21.142 37778 X.X.90.62 37778 extendable
ip nat inside source static udp X.X.21.142 37778 X.X.90.62 37778 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/2.700 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.90.2
ip route 10.10.2.0 255.255.255.240 10.10.2.1
ip route 10.40.1.0 255.255.255.0 10.10.2.1
ip route 10.96.1.0 255.255.255.0 10.10.2.1
ip route X.X.90.16 255.255.255.240 10.10.2.1
ip route X.X.90.32 255.255.255.240 10.10.2.1
ip route X.X.90.48 255.255.255.240 10.10.2.1
ip route X.X.90.64 255.255.255.240 10.10.2.1
ip route X.X.20.0 255.255.255.0 10.10.2.1
ip route X.X.21.0 255.255.255.0 10.10.2.1
ip route X.X.22.0 255.255.255.0 10.10.2.1
ip ssh port 2222 rotary 1
ip ssh version 2
!
!
ip access-list extended E_FW_INSIDE_TO_OUTSIDE_ACL_01
permit ip X.X.20.0 0.0.0.255 any log
permit ip X.X.21.0 0.0.0.255 any
permit ip X.X.22.0 0.0.0.255 any
permit ip X.X.90.16 0.0.0.15 any
permit ip X.X.90.32 0.0.0.15 any
permit ip X.X.90.48 0.0.0.15 any
permit ip X.X.90.64 0.0.0.15 any
deny udp any any eq 10001 log
ip access-list extended E_FW_INSIDE_TO_SLF_ACL_02
permit tcp any eq 2222 any
permit tcp any eq 22609 any
permit udp host 10.10.2.2 any
permit udp host 10.10.2.4 any
permit ip host 10.40.1.250 any
permit icmp host 57.216.254.148 any
permit icmp host 57.216.254.145 any
permit icmp host 57.209.227.205 any
permit icmp host 57.209.227.206 any
--More-- permit icmp host 10.10.2.1 any
permit icmp X.X.20.0 0.0.0.255 any
permit icmp X.X.21.0 0.0.0.255 any
permit icmp X.X.22.0 0.0.0.255 any
permit udp X.X.20.0 0.0.0.255 any
permit udp X.X.21.0 0.0.0.255 any
permit udp X.X.22.0 0.0.0.255 any
permit udp X.X.1.0 0.0.0.255 any
permit tcp X.X.1.0 0.0.0.255 any
permit ospf host X.X.8.2 host X.X.8.1
permit icmp host X.X.8.2 host X.X.8.1
permit icmp host X.X.8.2 10.10.7.0 0.0.0.255
permit udp X.X.8.0 0.0.0.255 any
permit esp host X.X.20.22 host 10.10.2.2
permit icmp X.X.90.16 0.0.0.15 any
permit icmp X.X.90.32 0.0.0.15 any
permit icmp X.X.90.48 0.0.0.15 any
permit icmp X.X.90.64 0.0.0.15 any
permit udp X.X.90.16 0.0.0.15 any
permit udp X.X.90.32 0.0.0.15 any
permit udp X.X.90.48 0.0.0.15 any
permit udp X.X.90.64 0.0.0.15 any
permit ip host 10.10.2.1 any
permit ospf host X.X.7.2 host X.X.7.1
permit icmp host X.X.7.2 host X.X.7.1
permit icmp host X.X.7.2 10.10.7.0 0.0.0.255
permit udp X.X.7.0 0.0.0.255 any
permit esp host X.X.22.34 host 10.10.2.2
permit icmp host X.X.1.2 host X.X.1.1
permit icmp 10.10.5.0 0.0.0.255 any
ip access-list extended E_FW_OUTSIDE_TO_INSIDE_ACL_03
permit tcp any eq 5060 any
permit udp any eq 5060 any
permit udp any range 1000 1100 any
permit tcp any eq 465 any
permit icmp host X.X.90.2 any
permit ip host 206.16.60.70 X.X.20.0 0.0.0.255
permit ip host 206.16.60.70 X.X.21.0 0.0.0.255
permit ip host 206.16.60.70 X.X.22.0 0.0.0.255
permit tcp host 54.84.182.84 X.X.20.0 0.0.0.255
permit tcp host 54.84.182.84 X.X.21.0 0.0.0.255
permit tcp host 54.84.182.84 X.X.22.0 0.0.0.255
permit icmp host 72.198.133.5 any
permit ip host 70.186.254.52 any
permit ip host 50.58.27.183 any
permit tcp host 72.215.150.212 X.X.22.0 0.0.0.255
permit icmp host 72.215.150.212 any
permit ip host 72.215.150.212 X.X.22.0 0.0.0.255
permit udp any range 10002 20000 any
permit ip host 12.109.9.58 X.X.21.0 0.0.0.255
permit ip host 209.163.240.162 X.X.21.0 0.0.0.255
permit ip host 166.166.130.13 X.X.21.0 0.0.0.255
permit ip host 98.198.144.47 X.X.21.0 0.0.0.255
permit ip host 12.35.94.3 X.X.21.0 0.0.0.255
permit tcp host 12.109.9.58 X.X.21.0 0.0.0.255
permit tcp host 209.163.240.162 X.X.21.0 0.0.0.255
permit tcp host 166.166.130.13 X.X.21.0 0.0.0.255
permit tcp host 98.198.144.47 X.X.21.0 0.0.0.255
permit tcp host 12.35.94.3 X.X.21.0 0.0.0.255
permit udp host 12.109.9.58 X.X.21.0 0.0.0.255 eq 37778
permit udp host 209.163.240.162 X.X.21.0 0.0.0.255 eq 37778
permit udp host 166.166.130.13 X.X.21.0 0.0.0.255 eq 37778
--More-- permit udp host 98.198.144.47 X.X.21.0 0.0.0.255 eq 37778
permit udp host 12.35.94.3 X.X.21.0 0.0.0.255 eq 37778
permit tcp any range 37777 37778 any
permit tcp host 12.109.9.58 X.X.21.0 0.0.0.255 eq www
permit tcp host 209.163.240.162 X.X.21.0 0.0.0.255 eq www
permit tcp host 166.166.130.13 X.X.21.0 0.0.0.255 eq www
permit tcp host 98.198.144.47 X.X.21.0 0.0.0.255 eq www
permit tcp host 12.35.94.3 X.X.21.0 0.0.0.255 eq www
ip access-list extended E_FW_OUTSIDE_TO_SLF_ACL_04
permit ip host 70.186.254.52 any
permit udp host 98.188.216.148 any
permit udp host X.X.X.X eq isakmp any
permit udp host 50.58.27.183 eq 5060 any
permit tcp host 98.188.216.149 eq 8880 any
permit tcp host 72.198.133.5 eq 8880 any
permit tcp host 206.16.60.70 any
permit ip host X.X.X.X any log
permit icmp 70.188.92.0 0.0.0.255 any
deny ip X.X.20.0 0.0.0.255 any
deny ip X.X.21.0 0.0.0.255 any
deny ip X.X.22.0 0.0.0.255 any
deny ip X.X.90.16 0.0.0.15 any
deny ip X.X.90.32 0.0.0.15 any
deny ip X.X.90.48 0.0.0.15 any
deny ip X.X.90.64 0.0.0.15 any
deny ip 10.96.1.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
permit ip host X.X.90.3 any
permit ip host X.X.90.2 any
deny ip X.X.0.0 0.15.255.255 any
ip access-list extended E_FW_SLF_TO_INSIDE_ACL_05
permit tcp any eq 2222 any
permit ip host 10.10.2.2 any
permit ip host 10.10.2.4 any
permit icmp host X.X.8.1 10.10.4.0 0.0.0.255
permit ip host 10.10.2.2 host X.X.20.22
permit ip host X.X.90.1 any
permit ip host X.X.90.4 any
permit ip host X.X.1.1 host X.X.1.2
permit icmp host X.X.7.1 10.10.5.0 0.0.0.255
ip access-list extended E_FW_SLF_TO_OUTSIDE_ACL_06
permit tcp any eq 2222 any
permit udp any eq snmp any
permit ip host X.X.90.1 any
permit ip host X.X.90.4 any
permit icmp host 10.10.2.2 host 50.58.27.183
permit icmp host 10.10.2.2 host 54.84.182.84
permit icmp host 10.10.2.2 host 70.186.254.52
permit icmp host 10.10.2.4 host 50.58.27.183
permit icmp host 10.10.2.4 host 54.84.182.84
permit icmp host 10.10.2.4 host 70.186.254.52
permit icmp host 10.10.2.4 host 72.215.150.212
deny udp any any eq 10001
ip access-list extended NAT_ACL
permit ip X.X.90.16 0.0.0.15 any
permit ip X.X.90.32 0.0.0.15 any
permit ip X.X.90.48 0.0.0.15 any
--More-- permit ip X.X.90.64 0.0.0.15 any
permit ip X.X.20.0 0.0.0.255 any
permit ip X.X.21.0 0.0.0.255 any
permit ip X.X.22.0 0.0.0.255 any
!
ip sla 20
icmp-echo 10.10.2.1
ip sla schedule 20 life forever start-time now
ip sla 25
icmp-echo X.X.90.2
ip sla schedule 25 life forever start-time now
logging history alerts
logging source-interface GigabitEthernet0/0/2.700
access-list 199 deny tcp any any eq telnet
access-list 199 deny tcp any any eq www log
access-list 199 deny tcp any any eq 22
access-list 199 permit ip any any
access-list 199 remark -- ACL restricting 22/23, redirect to ssh port 2222

Rob Ingram · ‎03-14-2019

So you are pinging from 10.10.2.4 to 57.68.x.x

10.10.2.4 is interface GigabitEthernet0/0/1 in zone E_FW_INSIDE_ZONE, which zone would 57.68.x.x be? OUTSIDE?
If that is the case you should probably inspect icmp from inside to outside, which should permit the return traffic.

If that doesn't work please provide a topology diagram, indicating where each device would reside so we can determine the correct zone pair.

HTH

Beast6 · ‎03-14-2019

No, I am pinging from my remote site which is 200.20.x.x.

My 57.68.x.x is OUTSIDE.

interface GigabitEthernet0/0/2.700
encapsulation dot1Q 700 native
ip address 57.68.x.x 255.255.255.240
ip nat outside
zone-member security E_FW_OUTSIDE_ZONE
vrrp 15 description INTERNET_VRRP_MASTER
vrrp 15 ip 57.68.x.x
vrrp 15 timers advertise msec 300
vrrp 15 preempt delay minimum 10
vrrp 15 priority 110
vrrp 15 track 99 decrement 20
ip virtual-reassembly

Rob Ingram · ‎03-14-2019

Ok, so if 200.20.x.x is a remote site then you need to permit icmp from OUTSIDE to SELF, in order to ping the outside interface.

Beast6 · ‎03-14-2019

Thanks, I will try that.

Let me give some more info.

200.20.x.x - remote IP

10.10.2.1- MPLS - Gateway

interface GigabitEthernet0/0/1
description
ip address 10.10.2.4 255.255.255.240
ip nat inside
zone-member security E_FW_INSIDE_ZONE
negotiation auto
vrrp 10 description MPLS_VRRP_MASTER
vrrp 10 ip 10.10.2.2
vrrp 10 timers advertise msec 300
vrrp 10 preempt delay minimum 10
vrrp 10 priority 110
vrrp 10 track 99 decrement 20
ip virtual-reassembly

57.68.x.x/24 - Public IP's.

we are doing IP nat inside in the core router for all our 200.20.x.x IP's with one of the public IP's.

From the core router, I can ping all my remote IP's 200.20.x.x and I can traceroute as well.

But when I try to ping my assigned public IP from the remote sites

traceroute 57.68.x.x

it reaches gig0/0/2/700

goes to 10.10.2.4 gig0/0/1 - MPLS

then goes to my gateway 10.10.2.1 and then it will be in a loop between 10.10.2.4 and 10.10.2.1.

Should I need IP nat outside or will it be resolved with permit ICMP from OUTSIDE to SELF?

#permit icmp host 57.68.x.x any - will this work?

Thanks in advance.