Re: Cannot ping Inside Global ip from inside network

gruzzz1988 · ‎12-17-2010

Hi! I have 2 questions.
Om my cisco 2811 (IOS 12.4(15) T9 IPBASE W/O Crypto) i am using 3 interfaces.
And i have a pool of Global addresses: 200.x.z.97-200.x.z.126 255.255.255.0

!-----------------------------!
FastEthernet 0/1
description WAN interface
ip nat outside
ip address 200.x.y.253 255.255.255.0

GigabitInterface 0/2/0
description DMZ interface
ip nat inside
ip address 10.0.0.1 255.255.255.0

GigabitInterface 0/3/0
description LAN interface
ip nat inside
ip address 192.168.0.251 255.255.255.0

ip route 0.0.0.0 0.0.0.0 200.x.y.1
ip route 200.x.z.0 255.255.255.0 FastEthernet0/1

ip nat pool LANWANPOOL 200.x.z.99 200.x.z.99 netmask 255.255.255.0
ip nat pool DMZWANPOOL 200.x.z.100 200.x.z.100 netmask 255.255.255.0
ip nat inside source list 51 pool LANWANPOOL overload
ip nat inside source list 52 pool DMZWANPOOL overload
ip nat inside source static tcp 10.0.0.1 53 200.x.z.101 53 extendable
ip nat inside source static tcp 10.0.0.2 80 200.x.z.102 80 extendable
ip nat inside source static 10.0.0.108 200.x.z.108 extendable
ip nat inside source static 192.168.0.59 200.x.z.110
ip nat inside source static tcp 192.168.0.71 25 200.x.z.112 25 extendable
ip nat inside source static tcp 192.168.0.71 110 200.x.z.112 110 extendable

access-list 51 remark List of hosts going to Internet from LAN
access-list 51 permit 192.168.0.71
access-list 51 permit 192.168.0.41
access-list 51 permit 192.168.0.3
access-list 51 permit 192.168.0.252

access-list 52 remark List of hosts going to Internet from DMZ
access-list 52 permit 10.0.0.2
access-list 52 permit 10.0.0.1
!-----------------------------!

The first question is:
My router can ping InsideGlobal IP 200.x.z.108 and 200.x.z.110, but it can't ping 200.x.z.112, 200.x.z.101, 200.x.z.102. Why???

The second question:
How can I ping InsideGlobal IPs from inside networks (10.0.0.0/24 and 192.168.0.0/24)?
For example, form host 192.168.0.1 "ping 200.x.z.110".

I am new to cisco routing, so please tell me direction of further actions!

lgijssel · ‎12-18-2010

When you check your static xlates, you will see that the ones you can ping are all having a translation for ip while the ones you cannot ping are having a translation for tcp. The ones using tcp cannot be pinged because ping requires icmp but only tcp traffic is being processed by nat.

The other issue may be related, I cannot find any reference to the public ip you mention.

regards,

Leo

gruzzz1988 · ‎12-19-2010

Ok, I understood, why my router can't ping my hosts with outside addresses. But telnet SHOULD work on port 25:
telnet 200.x.z.112 25
Am I right? But it doesn't ...
I didn't understand what can be the second issue...
And why my INSIDE hosts can't ping hosts, which router can ping?

Nikita Singh · ‎12-18-2010

I see you have two nat statemnts and pools:

p nat inside source list 51 pool LANWANPOOL overload
ip nat inside source list 52 pool DMZWANPOOL overload

In the access-lists 51 and 51 allow the 2 subnets.

access-list 51 permit 192.168.0.0 0.0.0.255

access-list 51 permit 10.0.0.0 0.0.0.255

This should allow you to ping from inside.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

gruzzz1988 · ‎12-19-2010

I try to ping hosts from ip addresses already added to access-list. You suggest is to permit access to the outside for all inside hosts. I don't think it will solve the problem.

Nikita Singh · ‎12-19-2010

can you tracert from the host and tell us where it drops. Also send the "show ip nat trans" output.

gruzzz1988 · ‎12-19-2010

FROM CISCO:

cisco2811#sh ip nat tran
Pro Inside global         Inside local          Outside local         Outside global
tcp 200.x.z.101:53     10.0.0.1:53           ---                   ---
tcp 200.x.z.102:80     10.0.0.2:80           ---                   ---
tcp 200.x.z.108:4333   10.0.0.108:4333       77.223.143.22:80      77.223.143.22:80
udp 200.x.z.108:4500   10.0.0.108:4500       212.159.204.75:4500   212.159.204.75:4500
tcp 200.x.z.108:22398 10.0.0.108:22398      183.61.4.44:80        183.61.4.44:80
tcp 200.x.z.108:24078 10.0.0.108:24078      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:26544 10.0.0.108:26544      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:41809 10.0.0.108:41809      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:42910 10.0.0.108:42910      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:44885 10.0.0.108:44885      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:50461 10.0.0.108:50461      183.61.4.44:80        183.61.4.44:80
tcp 200.x.z.108:53970 10.0.0.108:53970      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:56662 10.0.0.108:56662      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:58666 10.0.0.108:58666      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.108:59809 10.0.0.108:59809      192.168.74.11:514     192.168.74.11:514
--- 200.x.z.108        10.0.0.108            ---                   ---
udp 200.x.z.99:137     192.168.0.41:137      192.168.179.1:137     192.168.179.1:137
udp 200.x.z.99:137     192.168.0.41:137      192.168.240.1:137     192.168.240.1:137
tcp 200.x.z.99:1651    192.168.0.41:1651     205.188.4.92:5190     205.188.4.92:5190
tcp 200.x.z.99:1939    192.168.0.41:1939     64.12.30.44:5190      64.12.30.44:5190
tcp 200.x.z.99:1948    192.168.0.41:1948     95.101.86.64:443      95.101.86.64:443
tcp 200.x.z.99:1960    192.168.0.41:1960     95.101.86.64:443      95.101.86.64:443
tcp 200.x.z.99:1969    192.168.0.41:1969     92.122.126.226:443    92.122.126.226:443
tcp 200.x.z.99:1975    192.168.0.41:1975     209.143.198.123:443   209.143.198.123:443
tcp 200.x.z.99:1977    192.168.0.41:1977     95.101.86.64:443      95.101.86.64:443
tcp 200.x.z.99:1981    192.168.0.41:1981     209.143.198.123:443   209.143.198.123:443
tcp 200.x.z.99:2011    192.168.0.41:2011     95.101.86.64:443      95.101.86.64:443
tcp 200.x.z.110:290    192.168.0.59:290      77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:1024   192.168.0.59:1024     69.26.162.106:22      69.26.162.106:22
tcp 200.x.z.110:1545   192.168.0.59:1545     77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:1566   192.168.0.59:1566     183.61.4.44:80        183.61.4.44:80
tcp 200.x.z.110:16948 192.168.0.59:16948    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:21988 192.168.0.59:21988    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:27051 192.168.0.59:27051    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:30802 192.168.0.59:30802    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:37042 192.168.0.59:37042    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:39294 192.168.0.59:39294    183.61.4.44:80        183.61.4.44:80
tcp 200.x.z.110:40626 192.168.0.59:40626    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:51197 192.168.0.59:51197    77.223.143.22:80      77.223.143.22:80
tcp 200.x.z.110:51886 192.168.0.59:51886    77.223.143.22:80      77.223.143.22:80
--- 200.x.z.110        192.168.0.59          ---                   ---
tcp 200.x.z.112:25     192.168.0.71:25       ---                   ---
tcp 200.x.z.112:110    192.168.0.71:110      ---                   ---

cisco2811#trace 200.x.z.108

Type escape sequence to abort.
Tracing the route to 200.x.z.108
1 * * *
2 * * *

cisco2811#trace 200.x.z.112

Type escape sequence to abort.
Tracing the route to 200.x.z.112
1 * * *
2 *

FROM HOST 192.168.0.41

C:\>tracert -d 200.x.z.112
Трассировка маршрута к 200.x.z.112 с максимальным числом прыжков 30
1 <1 мс <1 мс <1 мс 192.168.0.251
2 * * * Превышен интервал ожидания для запроса.
3 ^C

C:\>tracert -d 200.x.z.108
Трассировка маршрута к 200.x.z.108 с максимальным числом прыжков 30
1 <1 мс <1 мс <1 мс 192.168.0.251
2 * * * Превышен интервал ожидания для запроса.
3 ^C

C:\>tracert -d 10.0.0.108
Трассировка маршрута к 10.0.0.108 с максимальным числом прыжков 30
1 <1 мс <1 мс <1 мс 192.168.0.251
2 <1 мс <1 мс <1 мс 10.0.0.108
Трассировка завершена.

Nikita Singh · ‎12-19-2010

from your router can you:

telnet 192.168.0.71 25

does this work fine ?

on device 192.168.0.71 , what is the default gateway?

gruzzz1988 · ‎12-19-2010

Gate on 192.168.0.71 is 192.168.0.251. Everything is all right there, as mail works.
From router:

cisco2811#telnet 192.168.0.71 25
Trying 192.168.0.71, 25 ... Open
220 ESMTP Postfix

I don't understand why router can ping IPs, but have no proper route to them.