Solved: Can not ping ip of interface enable Nat outside

HDBank Network · ‎10-27-2011

hi all

i'm facing problem as: on my router , i can't ping ip address of interface nat outside

my configurate router is :

interface fas1/1

ip add : 4.4.4.4/24

ip nat outside

interface fas1/2

ip add 2.2.2.2/24

ip nat inside

ip nat inside source list 100 interface fas1/1 overload

ip nat inside source static tcp 2.2.2.20 666 4.4.4.4 666

ip access-list exten 100

permit ip host 2.2.2.20 any

ping 4.4.4.4 can't on this router.

could you tell me , where does i miss config ?

thanks

Haris P · ‎10-29-2011

I think it is because of NAT overloading with outside interface . Instead of NAT with the outside interface just define a pool and overload with that NAT pool and please let me know if it solves your problem or not ?

ip nat pool test 4.4.4.5 4.4.4.5 netmask 255.255.0

no ip nat inside source list 100 interface fas1/1 overload

ip nat inside source list 100 pool test overload

Regards

Haris P

View solution in original post

cadet alain · ‎10-27-2011

Hi,

I suppose you're not connected on the internet otherwise this may lead to troubles as this address is in a range assigned to Level 3 Communications, Inc.

If this is a lab then verify that the interface is up/up: sh ip int br

Alain.

Don't forget to rate helpful posts.

HDBank Network · ‎10-27-2011

hi

Our router connect to partner via lease line layer 2 , port on router is GigaEthernet

the interface of status is UP

on this router can ping to ip address of partner but can not ping ip nat outside my router

thanks

johnlloyd_13 · ‎10-27-2011

hi,

you're missing the static default route:

ip route 0.0.0.0 0.0.0.0

HDBank Network · ‎10-27-2011

hi

the problem is on the my Router can not ping ip nat outside of it and on router of partner can't ping ip face to face .

anything other is ok

my subnet local and subnet local of parter can ping and access services ok

pls help

thanks

cadet alain · ‎10-27-2011

Hi,

Can you post complete config and also post result of debug ip pack detail and debug ip nat when you try to ping your

router.

Alain.

Don't forget to rate helpful posts.

HDBank Network · ‎10-28-2011

hi all

i don't why know , when i ping 4.4.4.4 ( ip nat ouside ) on this my router and enable debug ip icmp

so , the router can't receive packet icmp request ,

don't know access-list to have problem ? but in my opinion the traffic requested from router then can't apply access-list

pls help

thanks

Marius Gunnerud · ‎10-28-2011

As cadet has mentioned, please post the full router config.

--
Please remember to select a correct answer and rate helpful posts

Kishore Chennupati · ‎10-28-2011

Hi,

Can you remove the below from your config and then try again to ping the outside ip(ip nat outside) of your router from your partner network or from anywhere else?

ip nat inside source static tcp 2.2.2.20 666 4.4.4.4 666 << please remove this for testing

HTH

Regards,

Kishore

HDBank Network · ‎10-28-2011

hi all

We had test on other interface , don't ip nat outside in the interface , then ping ok

may be the problem is Nat outside

pls help

thanks

Haris P · ‎10-29-2011

I think it is because of NAT overloading with outside interface . Instead of NAT with the outside interface just define a pool and overload with that NAT pool and please let me know if it solves your problem or not ?

ip nat pool test 4.4.4.5 4.4.4.5 netmask 255.255.0

no ip nat inside source list 100 interface fas1/1 overload

ip nat inside source list 100 pool test overload

Regards

Haris P

HDBank Network · ‎10-30-2011

hi HaRis

i have config pool NAt but can't ping 4.4.4.4 of interface ( ip Nat outside)

ip nat pool test 4.4.4.5 4.4.4.5 netmask 255.255.255.0

ip nat inside soure list 100 pool test overload

ip access-list exten 100

permit ip host 2.2.2.20 any

permit ip host 4.4.4.4 any

permit ip host 4.4.4.5 any

Router's nat table

Pro Inside global Inside local Outside local Outside global

icmp 4.4.4.5 4.4.4.4 4.4.4.4 4.4.4.4

pls help

thanks

Haris P · ‎10-31-2011

Try as given below . I think in your ACL 100 you are permitting 4.4.4.4 and 4.4.4.5 and it is not needed . In NAT access-list you have to permit the source IP (inside subnet) only

modify your ACL and please let me know the result

*****************************************

interface f1/1
ip address 4.4.4.4 255.255.255.0
ip nat outside
!
interface f1/2
ip address 2.2.2.2 255.255.255.0
ip nat inside

!
ip nat pool test 4.4.4.5 4.4.4.5 netmask 255.255.255.0
ip nat inside source list 100 pool test overload

ip access-list exten 100

permit ip host 2.2.2.20 any

Or

ip nat inside source list 100 interface f1/1 overload

flintthuang · ‎01-04-2016

I think this the access-list problem, should change access-list like this:

ip access-list exten 100

deny ip any 4.4.4.4

permit ip host 2.2.2.20 any