Solved: Re: Cannot ping my clients pppoe with ACL nat active

Dirlei Fischer · ‎04-25-2019

I have a VXR7206 NPE-G2 router running as a PPPoE server. My lan network is 172.16.99.0/24, and after creating access-list 1, I lost the ability to ping the lan network from outside the Router. I only have this acces-list, and when I delete it the ping to Lan network from outside the router works normally.

Thanks in advance!!

interface GigabitEthernet0/1
description LINK
ip address X.X.220.158 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
negotiation auto
ipv6 address X:X:5E00::F2/124
ipv6 enable

interface GigabitEthernet0/2
description ***LAN_PPPOE***
duplex auto
speed auto
media-type rj45
negotiation auto
ipv6 enable
ipv6 nd managed-config-flag
ipv6 dhcp server PPPv6 rapid-commit
pppoe enable group clientes

interface Virtual-Template1
mtu 1492
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache

ip nat inside source list 1 interface GigabitEthernet0/1 overload

access-list 1 permit 172.16.99.0 0.0.0.255

Sebastian Fernandez · ‎04-25-2019

Hi Dirlie,
Instead of using standard access-list 1, use an extended ACL that only matches on your Internet traffic to get NATTED. Use something like

access-list 199 deny ip 172.16.99.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 199 deny ip 172.16.99.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 199 deny ip 172.16.99.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any

and Change your NAT rule to

ip nat inside source list 199 interface GigabitEthernet0/1 overload

Star me if you think this is helpful.

-
Sebastian

View solution in original post

Sebastian Fernandez · ‎04-25-2019

Hi Dirlie,
Instead of using standard access-list 1, use an extended ACL that only matches on your Internet traffic to get NATTED. Use something like

access-list 199 deny ip 172.16.99.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 199 deny ip 172.16.99.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 199 deny ip 172.16.99.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any

and Change your NAT rule to

ip nat inside source list 199 interface GigabitEthernet0/1 overload

Star me if you think this is helpful.

-
Sebastian

Georg Pauwen · ‎04-26-2019

Hello,

what if you just exclude ICMP from being translated ?

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 101 permit ip 172.16.99.0 0.0.0.255 any

!

ip nat inside source list 101 interface GigabitEthernet0/1 overload

paul driver · ‎04-26-2019

Hello

Are you missing something off your post? - The only acl i see relates to an ipv4 subnet and NAT but I dont see any nat applied to your lan interface or any ipv4 addressing?

The virtual temple isnt doing anything as far as I can see and it has the wrong nat applied to it anyway.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul