Solved: Can PING from any Public/Global IP but cannot PING from any Private IP addresses

Japayuki69 · ‎08-07-2012

Hi Guys,

I am desperate, I think this is just a simple problem but my knowledge to CISCO is not that really deep.

Please help!

(Note: All Actual IP info are Sanitized)

---------------------------------------------------------------------------------------

Our ISP has provided our Company the following Information.

---------------------------------------------------------------------------------------

WAN-out AAA.BBB.CCC.72/29 IP8 Numbered

WAN-in AAA.BBB.DDD.192/26 IP64

Assigned ISP router IP is AAA.BBB.CCC.73

Assigned Client Router IP is AAA.BBB.CCC.74/29

---------------------------------------------------------------------------------------

Used Router is Cisco 1921 with 2 Gigabit port.

Port Gi0/0 @ AAA.BBB.CCC.74 255.255.255.248

Port Gi0/1 @ AAA.BBB.DDD.193 255.255.255.192

Gi0/1 is connected to a Cisco Switch which has other devices connected to it such as web, sub-routers, etc...

Sub-Router IP @ AAA.BBB.DDD.205

Web-Server IP @ AAA.BBB.DDD.200

Etc...

Problem:

I can ping the specific AAA.BBB.DDD.193 assigned to the Router port Gi0/1 from any Private IP or Public IP address.

The rest of the IP addresses AAA.BBB.DDD.192/26 can be ping directly from any Public IP

but it cannot be PING from a Private IP address.

It sounds like more on NATting on the Router config, Please help!

I have included the SANITIZED config For Your Reference.

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ISP_STATIC_@_100MBPS_INTERNET

ip address AAA.BBB.CCC.74 255.255.255.248

ip access-group FILTER_FROM_INTERNET in

ip access-group FILTER_INTERNET in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN_IP64_AAA_BBB_DDD_192/26

ip address AAA.BBB.DDD.193 255.255.255.192

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map 01_ISP_NAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 AAA.BBB.CCC.73

!

ip access-list extended FILTER_INTERNET

permit ip AAA.BBB.DDD.192 0.0.0.63 any

ip access-list extended FILTER_VTY_ACCESS

permit ip AAB.BBA.ADA.88 0.0.0.7 any

permit ip AAA.BBB.DDD.192 0.0.0.63 any

ip access-list extended ISP_NAT_ACL

permit ip AAA.BBB.DDD.192 0.0.0.63 any

!

no cdp run

!

route-map 01_ISP_NAT permit 10

match ip address ISP_NAT_ACL

!

control-plane

!

alias exec s show ip int brief

alias exec sr show running-config

alias exec sacl show access-list

banner motd ^C

/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/

/*/*/*/*/ */*/*/*/*/

/*/*/*/ DO NOT LOGIN */*/*/*/

/*/*/*/*/ */*/*/*/*/

/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/

^C

!

line con 0

exec-timeout 500 0

logging synchronous

login local

length 0

line aux 0

exec-timeout 5 0

logging synchronous

login local

length 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class FILTER_VTY_ACCESS in

exec-timeout 20 0

logging synchronous

login local

length 0

transport input ssh

line vty 5 1370

access-class FILTER_VTY_ACCESS in

exec-timeout 5 0

logging synchronous

login local

length 0

transport input ssh

!

scheduler allocate 20000 1000

end

Thank you in advance.

John Blakley · ‎08-07-2012

Hi,

On g0/0, you reference an acl that doesn't exist (or at least in the config you posted it doesn't). You should remove this for testing purposes. Your nat configuration also references the inside interface instead of the outside interface to nat out as, so change that to the following:

ip nat inside source route-map 01_ISP_NAT interface GigabitEthernet0/0 overload

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎08-07-2012

Hi,

On g0/0, you reference an acl that doesn't exist (or at least in the config you posted it doesn't). You should remove this for testing purposes. Your nat configuration also references the inside interface instead of the outside interface to nat out as, so change that to the following:

ip nat inside source route-map 01_ISP_NAT interface GigabitEthernet0/0 overload

HTH,

John

HTH, John *** Please rate all useful posts ***

Japayuki69 · ‎08-07-2012

Hi John,

Thank you for the Swift Reply.

My bad and sorry for the confusions.

I sanitized the original config too much and I forgot to edit the "access-group" for gi0/0.

The original message is now modified.

Tried already both

ip nat outside source... (using this will disconnects other devices from the internet)

ip nat inside source... (thisconnects other devices but still no PING can be achieved)

Any other suggestion?

Thank you very much.

Alessio Andreoli · ‎08-07-2012

Erase the route-map and match the ACL directly.

Hardcode the speed and the duplex mode...

check also the ACL you wrote down... there is a duplicate...

Alessio

Japayuki69 · ‎08-07-2012

Hi Alessio,

Thank you for the reply, tried it as per advise but it seems this is not working.

The duplicated ACL were actually part of illustration and should not confused with, it has a lot more IP but was just sanitized.

Japayuki69 · ‎08-07-2012

Hello John,

I reviewed back your suggestions and found the answer.

Gi0/1 interface was just NAT OUT.

interface GigabitEthernet0/1

description WAN_IP64_AAA_BBB_DDD_192/26

ip address AAA.BBB.DDD.193 255.255.255.192

ip nat inside

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

Thank you very much.

John Blakley · ‎08-08-2012

Glad to hear! Thanks for the rating and closing the question out!

HTH, John *** Please rate all useful posts ***