Solved: Re: Cannot ping through NAT on ISR4351/K9

Shelme74 · ‎03-17-2025

Hello all, everything is in the title, I managed to connect via PPPoE and VLAN to internet with my ISR4351/K9, can ping Internet from the router, but not from my PC connected to it. Does anyone have an idea of what I did wrong in the configuration below?

Router#sh run
Building configuration...


Current configuration : 2170 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!


ip name-server 91.121.61.147 87.98.149.171

!
ip dhcp pool LAN
network 172.16.79.0 255.255.255.0
dns-server 91.121.61.147 87.98.149.171
default-router 172.16.79.254
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4351/K9 sn FDO22470XNQ
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 172.16.79.254 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.4001
encapsulation dot1Q 4001
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname [REDACTED]
ppp chap password 0 [REDACTED]
ppp pap sent-username [REDACTED] password 0 [REDACTED]
!
ip nat translation timeout 13000
ip nat translation tcp-timeout 50000
ip nat translation udp-timeout 45000
ip nat translation max-entries 300
ip nat inside source list acl1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 145.239.153.51
ip route 0.0.0.0 0.0.0.0 dhcp
ip ospf name-lookup
!
!
ip access-list standard acl1
permit 0.0.0.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
!

Joshqun Ismayilov · ‎03-17-2025

@Shelme74

The ACL acl1 is configured to permit 0.0.0.0/24 (incorrect subnet). It should permit your LAN subnet 172.16.79.0/24
#ip access-list standard acl1
#permit 172.16.79.0 0.0.0.255

Change Nat interface also
#no ip nat inside source list acl1 interface GigabitEthernet0/0/0 overload
#ip nat inside source list acl1 interface Dialer1 overload

Thanks!

View solution in original post

Jan Rolny · ‎03-17-2025

Hi Shelme74,

looks like you are not matching you ACL mentioned in NAT. You probably wanted to match whole range 0.0.0.0/0 but you are matching 0.0.0.1-254

I would rather use this ACL below as this seems to be your subnet used in DHCP configuration on LAN side.

ip access-list standard acl1
 permit 172.16.79.0 0.0.0.255

Best regards,

Jan