Subscriber on IP Session can't translate to outside interface.

Akharaphan Sangwong · ‎05-11-2017

HI All

I facing a problem about subscriber on IP Session. subscriber can ping to gw but can't translate and ping to outside interface. Could you please help me to find the solution to solve it.

Configuration

Version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ISG
!
boot-start-marker
boot-end-marker
!
!
enable password cisco
!
aaa new-model
!
!
aaa group server radius QNS_AAA
server name RADIUS-SERVER1
!
aaa authentication login default local
aaa authentication login QNS_AUTHEN_LIST group QNS_AAA
aaa authorization network default group QNS_AAA
aaa authorization network QNS_AUTHOR_LIST group QNS_AAA
aaa authorization subscriber-service default group QNS_AAA local
aaa accounting update periodic 180
aaa accounting network QNS_ACCT_LIST start-stop group QNS_AAA
!

no ip domain lookup
ip dhcp drop-inform
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 172.16.0.1 172.16.10.255
!
ip dhcp pool xx
network 172.16.0.0 255.255.0.0
default-router 172.16.255.254
lease 0 8
class default
!
!
ip dhcp class default
!
ip dhcp class Default
!
!
ip dhcp global-options
dns-server 8.8.4.4
!
!
!
!
!
!
!
!
subscriber service coa-rfc-compliant
subscriber service session-accounting
subscriber templating
subscriber authorization enable
service-policy type control CISCO_POLICY_RULE
!
multilink bundle-name authenticated
!

!
!
!
!
!
!
ip telnet source-interface GigabitEthernet1
class-map type traffic match-any TC_INTERNET
match access-group output name ACL_OUT_INTERNET
match access-group input name ACL_IN_INTERNET
!
class-map type traffic match-any TC_OPENGARDEN
match access-group output name OPENGARDEN_ACL_OUT
match access-group input name OPENGARDEN_ACL_IN
!
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER
match authen-status unauthenticated
!
!
class-map match-any MyClassMap
match access-group 140
policy-map type service OPENGARDEN_SERVICE
10 class type traffic TC_OPENGARDEN
!
!
policy-map type service PBHK
ip portbundle
!
policy-map type control CISCO_POLICY_RULE
class type control IP_UNAUTH_COND event timed-policy-expiry
1 service disconnect
!
class type control always event session-restart
5 service-policy type service name PBHK
10 service-policy type service name OPENGARDEN_SERVICE
20 authorize aaa password aaa identifier mac-address
25 service-policy type service name CISCO_REDIRECT_SERVICE
30 set-timer IP_UNAUTH_TIMER 4
!
class type control always event account-logon
1 authenticate aaa list QNS_AUTHEN_LIST
2 service-policy type service unapply name CISCO_REDIRECT_SERVICE
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
2 service-policy type service name CISCO_REDIRECT_SERVICE
3 service-policy type service name OPENGARDEN_SERVICE
!
class type control always event service-start
2 service-policy type service identifier service-name
5 service-policy type service identifier service-name
!
class type control always event account-logoff
1 service disconnect delay 5
!
class type control always event session-start
5 service-policy type service name PBHK
10 service-policy type service name OPENGARDEN_SERVICE
20 authorize aaa password aaacisco identifier mac-address
25 service-policy type service name CISCO_REDIRECT_SERVICE
30 set-timer IP_UNAUTH_TIMER 4
!
!
!
policy-map Policy1
class MyClassMap
police rate 1000 pps
conform-action transmit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
ip address 192.168.255.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet1
ip address 192.168.20.71 255.255.255.0
ip nat outside
ip nat allow-static-host
negotiation auto
!
interface GigabitEthernet2
ip address 10.17.0.254 255.255.255.0
ip portbundle outside
negotiation auto
!
interface GigabitEthernet3
ip address 172.16.255.254 255.255.0.0
ip nat inside
ip portbundle outside
negotiation auto
service-policy type control CISCO_POLICY_RULE
ip subscriber l2-connected
initiator unclassified mac-address
arp ignore local
!
!
virtual-service csr_mgmt
!
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool pool1 192.168.20.78 192.168.20.79 netmask 255.255.255.0
ip nat inside source list INTERNET pool pool1 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.20.1
!
ip access-list extended ACL_IN_INTERNET
permit ip any any log
ip access-list extended ACL_OUT_INTERNET
permit ip any any log
ip access-list extended INTERNET
permit tcp 172.16.0.0 0.0.255.255 any log
permit udp 172.16.0.0 0.0.255.255 any log
permit udp 172.16.0.0 0.0.255.255 any eq domain
permit ip 172.16.0.0 0.0.255.255 any
ip access-list extended OPENGARDEN_ACL_IN
permit ip any host 8.8.8.8
ip access-list extended OPENGARDEN_ACL_OUT
permit ip host 8.8.8.8 any
!
ip radius source-interface GigabitEthernet2
!
ip portbundle
match access-list 111
source GigabitEthernet1
!
access-list 111 permit ip any any log
access-list 140 permit 46 any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 31 mac format ietf
!
radius server RADIUS-SERVER1
address ipv4 10.17.0.4 auth-port 1812 acct-port 1813
key testing123
!
!
control-plane
service-policy input Policy1

end

Output on router

ISG#ping 8.8.8.8 source gigabitEthernet 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.255.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/35/47 ms

ISG#ping 172.16.11.1 source gigabitEthernet 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.71
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

ISG# show subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4, UID: 976, State: unauthen, Identity: 172.16.11.1
IPv4 Address: 172.16.11.1
Session Up-time: 00:01:19, Last Changed: 00:01:19
Switch-ID: 4297

Policy information:
Context 7FD4718AD608: Handle 94000A82
AAA_id 000003FD: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
portbundle 0 "enable"
username 0 "OPENGARDEN_SERVICE"
traffic-class 0 "output access-group name OPENGARDEN_ACL_OUT priority 10"
traffic-class 0 "input access-group name OPENGARDEN_ACL_IN priority 10"
Config history for session (recent to oldest):
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: OPENGARDEN_SERVICE, 3 references
password 0 <hidden>
username 0 "OPENGARDEN_SERVICE"
traffic-class 0 "output access-group name OPENGARDEN_ACL_OUT priority 10"
traffic-class 0 "input access-group name OPENGARDEN_ACL_IN priority 10"
Access-type: IP Client: SM
Policy event: Service Selection Request (Service)
Profile name: PBHK, 3 references
password 0 <hidden>
username 0 "PBHK"
portbundle 0 "enable"
Active services associated with session:
name "OPENGARDEN_SERVICE", applied before account logon
name "PBHK", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map CISCO_POLICY_RULE
condition always event session-start
5 service-policy type service name PBHK
10 service-policy type service name OPENGARDEN_SERVICE
20 authorize identifier mac-address
25 service-policy type service name CISCO_REDIRECT_SERVICE