10-22-2012 07:35 AM - edited 03-04-2019 05:55 PM
Hello everyone,
I am new to posting to the Cisco Support Community, though I read tips on here regularly because it is quite helpful to understanding common issues with Cisco products. Anyway I am in need of help and am wondering if you guys could help me out, it would be greatly appreciated!
So I am having issues with a clients 1941 router, I did the initital configuration on it and someone else did the rest, though now it will not connect to the internet, more specifically it will not do any NAT translations, will not ping public internet addresses (or allow them to be resolved though that might be from our ACL). Anyways, I have tried a basic configuration to try to eliminate the current one as a potential issue, no dice so far. Oddly enough I can reach it and manage it from its public interface/ip remotely just no traffic can pass through it. In preventing this from being TL;DR here is the current config, for security reasons I omitted certain things and lets say my public ip is 10.0.0.1 for this purpose.
If you could help me out it would be great because I might be overlooking something here.
Config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WIN_GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL_IN pptp
ip inspect name FIREWALL_IN ipsec-msft
login block-for 30 attempts 4 within 15
login delay 5
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1997974926
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1997974926
revocation-check none
rsakeypair TP-self-signed-1997974926
!
!
crypto pki certificate chain TP-self-signed-1997974926
certificate self-signed 01
<output omitted>
quit
license udi pid CISCO1941/K9 sn FTX1613804K
!
!
username <omitted> privilege 15 secret 5 <omitted>
username <omitted> privilege 15 secret 5 <omitted>
!
redundancy
!
!
!
!
no ip ftp passive
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ###CONNECTION TO INTERNET###$FW_OUTSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group OUTSIDE_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FIREWALL_IN in
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description ### INTERNAL LAN ###$FW_INSIDE$
ip address 172.1.0.8 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.1.0.6 25 10.0.0.1 25 extendable
ip nat inside source static tcp 172.1.0.41 443 10.0.0.1 443 extendable
ip nat inside source static tcp 172.1.0.41 465 10.0.0.1 465 extendable
ip nat inside source static tcp 172.1.0.36 1723 10.0.0.1 1723 extendable
ip nat inside source static tcp 172.1.0.36 2080 10.0.0.1 2080 extendable
ip nat inside source static tcp 172.1.0.41 3389 10.0.0.1 45000 extendable
ip nat inside source static tcp 172.1.0.20 3389 10.0.0.1 45001 extendable
ip nat inside source static tcp 172.1.0.58 3389 10.0.0.1 45002 extendable
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.20.0 255.255.255.0 172.1.0.3
ip route 192.168.35.0 255.255.255.0 172.1.0.3
ip route 192.168.36.0 255.255.255.0 172.1.0.3
ip route 192.168.40.0 255.255.255.0 172.1.0.3
!
ip access-list extended NAT
deny ip 172.1.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.1.0.0 0.0.255.255 172.16.0.0 0.15.255.255
deny ip 172.1.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.35.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.35.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.35.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.36.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.36.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.36.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.40.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.40.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.1.0.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.35.0 0.0.0.255 any
permit ip 192.168.36.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended OUTSIDE_IN
permit udp host 64.90.182.55 eq ntp host 10.0.0.1 eq ntp
permit udp host 24.56.178.140 eq ntp host 10.0.0.1 eq ntp
permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
permit udp host 129.6.15.28 eq ntp host 10.0.0.1 eq ntp
permit tcp any host 10.0.0.1 eq telnet
permit tcp any host 10.0.0.1 eq 22
permit tcp any host 10.0.0.1 eq smtp
permit tcp any host 10.0.0.1 eq 8013
permit tcp any host 10.0.0.1 eq 443
permit tcp any host 10.0.0.1 eq 45002
permit tcp any host 10.0.0.1 eq 45001
permit tcp any host 10.0.0.1 eq 45000
permit tcp any host 10.0.0.1 eq 2080
permit tcp any host 10.0.0.1 eq 465
permit tcp any host 10.0.0.1 eq 1723
permit gre any host 10.0.0.1
permit esp any host 10.0.0.1
permit udp any host 10.0.0.1 eq isakmp
!
!
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 24.56.178.140 source GigabitEthernet0/0
ntp server 64.90.182.55 prefer source GigabitEthernet0/0
end
EDIT:
I am wondering if it is the environment, the current firewall/gateway is a linux solution and has no issue contacting our ISP default gateway or getting the users to the internet. The idea was for the Cisco device to replace it because it was a repurposed server that is getting old.
My concerns is the cisco 1941 is defective, but it functions fine when pointed to other firewall (which is to be removed), this lead me to believe it has something to do with the NAT translations...
Thanks in advance for your input!!!!
Message was edited by: Scott Dowsett
Solved! Go to Solution.
10-23-2012 12:14 AM
Sorry I wrote and deleted a post. I think you need to simplify your issue here. Remove the ACLs from the Gig 0/0 interface completely temporarily and try again. If it still isn't working.... definitely not an ACL issue.
As for NAT, the config looks pretty normal to me. You could try remove the global overload NAT statement and then the interface Gig 0/0 nat statement.... then try and ping the next-hop.
With NAT and ACLs out of the picture there should be nothing stopping you from pinging the next hop except for the next-hop itself. Never dismiss the fact that some devices don't respond to ICMP (ping) messages! Ping is not always a valid test!
If in doubt, get approval from whoever, then run the following commands which will schedule the router to reboot in 10mins to the original config:
copy run start
reload in 10
conf t
no ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
int gig 0/0
no ip access-group OUTSIDE_IN in
no ip nat outside
end
ping 10.0.0.2
If the ping works then it is definitely ACLs/NAT. To rollback changes without rebooting:
conf t
int gig 0/0
ip access-group OUTSIDE_IN in
ip nat outside
ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
end
reload cancel
Good luck.
10-22-2012 09:57 AM
From the router I cannot ping its default gateway given to me by the ISP, can't ping anything.
I believe it is NAT or DNS that is causing an issue because I can reach the router from its public IP, though pinging it directly(with redirects and unreachables enabled) says "Reply from
Which I do not understand why it is saying its own network is not reachable as if it doesnt have a proper route.
Could this be a faulty router?
Thanks for your input well in advance!!!
10-22-2012 10:30 AM
Hi,
From the router I cannot ping its default gateway given to me by the ISP, can't ping anything.
do this for traffic generated by router:
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
Regards.
Alain
Don't forget to rate helpful posts.
10-22-2012 10:42 AM
Thank you for your reply Alain.
I entered that into the configuration, just to clairfy, do I add that along side my previous or do I negate those in favour of the ones you suggested?
EDIT:
I have entered these into the router and still nothing.
I still can't seem to ping from the router console the ISP default gateway, or my public interface , which is directly connected. I have verified these are both are up with the no shut command. To eliminate that thier router might be blocking icmp requests, I have attempted to ping it from a different router and network with success.
Any further suggestions would be of great help! Thank you in advance.
Message was edited by: Scott Dowsett
10-22-2012 10:48 AM
Hi,
you must negate the others and repalce by these. also in global config add this: ip inspect log drop-pkt
if you've got traffic dropped by your CBAC config they will appear in the log outputs then.
Regards.
Alain
Don't forget to rate helpful posts.
10-22-2012 10:58 AM
Hello Alain,
Thanks again for your prompt reply.
I have enabled ip inspect log drop-pkt, however I am unfamiliar on how to view these logs, what command allows me to view the logs on the dropped packets.
Also in my troubleshooting I have disabled the FIREWALL rules entirely both negating the commands and removing off the interface and still the same issues with my configuration/router. After exhausting this I went back to my above configuration.
I have run out of ideas on how to get it working even with all ACLs disabled and I've also tried a basic NAT config to try to eliminate that.
Thank you for your help!
10-22-2012 11:04 AM
to view the logs:
logging console info
logging buffered info
What is your config now and what is still not working?
Regards.
Alain
Don't forget to rate helpful posts.
10-22-2012 11:14 AM
Hello Alain,
Thanks for the reply.
Problem is still the same, from the router I cannot get to the internet, cannot ping any public IP, and cannot ping the ISP default gateway (which I can from other router). I can manage this router remotely from its Public IP however, so traffic can get to it from either direction just not across/though it. Though not being able to contact the ISP gateway from the router is where I think the problem is residing. (in my example I made my public and default route 10.0.0.1 and 10.0.0.2).
Config now is:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WIN_FRWLL-GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
logging console informational
!
no aaa new-model
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip name-server 172.1.0.30
ip name-server 172.1.0.40
ip name-server 172.1.0.42
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name FIREWALL_IN pptp
ip inspect name FIREWALL_IN ipsec-msft
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp router-traffic
ip inspect name FIREWALL icmp router-traffic
login block-for 30 attempts 4 within 15
login delay 5
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1997974926
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1997974926
revocation-check none
rsakeypair TP-self-signed-1997974926
!
!
crypto pki certificate chain TP-self-signed-1997974926
certificate self-signed 01
quit
license udi pid CISCO1941/K9 sn FTX1613804K
!
!
username
username
!
redundancy
!
!
no ip ftp passive
ip ssh version 2
!
!
interface Loopback0
no ip address
shutdown
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ###CONNECTION TO INTERNET###$FW_OUTSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group OUTSIDE_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FIREWALL_IN in
ip inspect FIREWALL out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description ### INTERNAL LAN ###$FW_INSIDE$
ip address 172.1.0.8 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.1.0.6 25 10.0.0.1 25 extendable
ip nat inside source static tcp 172.1.0.41 443 10.0.0.1 443 extendable
ip nat inside source static tcp 172.1.0.41 465 10.0.0.1 465 extendable
ip nat inside source static tcp 172.1.0.36 1723 10.0.0.1 1723 extendable
ip nat inside source static tcp 172.1.0.36 2080 10.0.0.1 2080 extendable
ip nat inside source static tcp 172.1.0.41 3389 10.0.0.1 45000 extendable
ip nat inside source static tcp 172.1.0.20 3389 10.0.0.1 45001 extendable
ip nat inside source static tcp 172.1.0.58 3389 10.0.0.1 45002 extendable
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.20.0 255.255.255.0 172.1.0.3
ip route 192.168.35.0 255.255.255.0 172.1.0.3
ip route 192.168.36.0 255.255.255.0 172.1.0.3
ip route 192.168.40.0 255.255.255.0 172.1.0.3
!
ip access-list extended NAT
deny ip 172.1.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.1.0.0 0.0.255.255 172.16.0.0 0.15.255.255
deny ip 172.1.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.20.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.35.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.35.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.35.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.36.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.36.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.36.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.40.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.40.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.1.0.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.35.0 0.0.0.255 any
permit ip 192.168.36.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended OUTSIDE_IN
permit udp host 64.90.182.55 eq ntp host 10.0.0.1 eq ntp
permit udp host 24.56.178.140 eq ntp host 10.0.0.1 eq ntp
permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
permit udp host 129.6.15.28 eq ntp host 10.0.0.1 eq ntp
permit tcp any host 10.0.0.1 eq telnet
permit tcp any host 10.0.0.1 eq 22
permit tcp any host 10.0.0.1 eq smtp
permit tcp any host 10.0.0.1 eq 8013
permit tcp any host 10.0.0.1 eq 443
permit tcp any host 10.0.0.1 eq 45002
permit tcp any host 10.0.0.1 eq 45001
permit tcp any host 10.0.0.1 eq 45000
permit tcp any host 10.0.0.1 eq 2080
permit tcp any host 10.0.0.1 eq 465
permit tcp any host 10.0.0.1 eq 1723
permit gre any host 10.0.0.1
permit esp any host 10.0.0.1
permit udp any host 10.0.0.1 eq isakmp
!
!
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
banner motd
*****************************************************************
This is a secure device Unauthorized Access Strictly Prohibited
This device belongs to Electrozad Supply Company Ltd.
*****************************************************************
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 24.56.178.140 source GigabitEthernet0/0
ntp server 64.90.182.55 prefer source GigabitEthernet0/0
end
10-22-2012 11:21 AM
Hi,
ok so pinging 8.8.8.8 from router is not working and you've got no logs either in console or in the buffer( with sh log) ?
Can you do this:
access-list 199 permit icmp any any
do debug ip pack detail 199
logging buffered 1000000debug
do clear log
do ping 8.8.8.8
do sh log
and post sanitized output here( not showing your real IPs)
Regards.
Alain
Don't forget to rate helpful posts.
10-22-2012 11:28 AM
Hello Alain,
ok so pinging 8.8.8.8 from router is not working and you've got no logs either in console or in the buffer( with sh log) ?
No I cannot ping 8.8.8.8 from router, and there are some messages logged in the Console logging (29 messages), and buffer logging (3 messages).
After running commands you stated output is:
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level informational, 29 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 3 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 32 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (8192 bytes):
Oct 22 18:05:57.808: %SYS-5-CONFIG_I: Configured from console by user on vty3 (Omitted)
Oct 22 18:07:51.677: %SYS-5-CONFIG_I: Configured from console by user on vty3 (omitted)
Oct 22 18:22:21.636: %SYS-5-CONFIG_I: Configured from console by user on vty3 (omitted)
Should I apply newly created ACL 199 to an interface (in|out) ?
Thanks your help in advance!
10-22-2012 11:41 AM
Hi,
Console logging: level informational, 29 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level informational, 3 messages logged, xml disabled,
filtering disabled
So you haven't got debug logging either in console or buffer.
conf t
logging console debug
logging buff debug
logging buff 1000000
do clear log
do sh log after the unsuccessful ping of course
How are you connected to the router? console cable or via telnet/ssh if second option:
conf t
logging monitor debug
exit
terminal monitor
Regards.
Alain
Don't forget to rate helpful posts.
10-22-2012 11:49 AM
Hello Alain,
I really appreciate your patience with me and your help!
Here is the log output (same message over and over). So for sake of too much text, here is a post of some of it which I hope will give enough information on whats happening.
EDIT:
To me it looks like its going out as my public ip then replying back to a different IP (other router maybe?) or I am completely wrong and am misreading the logs.
Also was connected via ssh.
Thanks
LOG:
Oct 22 18:44:56.075: IP: s=10.0.0.1 (local), d=8.8.8.8, len 100, local feature
Oct 22 18:44:56.075: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.075: FIBipv4-packet-proc: route packet from (local) src 10.0.0.1 dst 8.8.8.8
Oct 22 18:44:56.075: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 206.47.92.105
Oct 22 18:44:56.075: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:44:56.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending
Oct 22 18:44:56.075: ICMP type=8, code=0
Oct 22 18:44:56.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:56.075: ICMP type=8, code=0, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:56.075: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:56.075: ICMP type=8, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.079: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:56.079: ICMP type=8, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.079: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:56.079: ICMP type=8, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:56.079: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending full packet
Oct 22 18:44:56.079: ICMP type=8, code=0
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8, len 100, local feature
Oct 22 18:44:58.075: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: FIBipv4-packet-proc: route packet from (local) src 10.0.0.1 dst 8.8.8.8
Oct 22 18:44:58.075: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 206.47.92.105
Oct 22 18:44:58.075: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending
Oct 22 18:44:58.075: ICMP type=8, code=0
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:58.075: ICMP type=8, code=0, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:58.075: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:58.075: ICMP type=8, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:58.075: ICMP type=8, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:44:58.075: ICMP type=8, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:44:58.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending full packet
Oct 22 18:44:58.075: ICMP type=8, code=0
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8, len 100, local feature
Oct 22 18:45:00.075: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: FIBipv4-packet-proc: route packet from (local) src 10.0.0.1 dst 8.8.8.8
Oct 22 18:45:00.075: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 206.47.92.105
Oct 22 18:45:00.075: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending
Oct 22 18:45:00.075: ICMP type=8, code=0
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:00.075: ICMP type=8, code=0, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:00.075: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:00.075: ICMP type=8, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:00.075: ICMP type=8, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:00.075: ICMP type=8, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:00.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending full packet
Oct 22 18:45:00.075: ICMP type=8, code=0
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8, len 100, local feature
Oct 22 18:45:02.075: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: FIBipv4-packet-proc: route packet from (local) src 10.0.0.1 dst 8.8.8.8
Oct 22 18:45:02.075: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 206.47.92.105
Oct 22 18:45:02.075: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending
Oct 22 18:45:02.075: ICMP type=8, code=0
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:02.075: ICMP type=8, code=0, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:02.075: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:02.075: ICMP type=8, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:02.075: ICMP type=8, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:02.075: ICMP type=8, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:02.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending full packet
Oct 22 18:45:02.075: ICMP type=8, code=0
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8, len 100, local feature
Oct 22 18:45:04.075: ICMP type=8, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: FIBipv4-packet-proc: route packet from (local) src 10.0.0.1 dst 8.8.8.8
Oct 22 18:45:04.075: FIBfwd-proc: packet routed by adj to GigabitEthernet0/0 206.47.92.105
Oct 22 18:45:04.075: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending
Oct 22 18:45:04.075: ICMP type=8, code=0
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:04.075: ICMP type=8, code=0, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:04.075: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:04.075: ICMP type=8, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:04.075: ICMP type=8, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, output feature
Oct 22 18:45:04.075: ICMP type=8, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:04.075: IP: s=10.0.0.1 (local), d=8.8.8.8 (GigabitEthernet0/0), len 100, sending full packet
Oct 22 18:45:04.075: ICMP type=8, code=0
Oct 22 18:45:23.035: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, input feature
Oct 22 18:45:23.035: ICMP type=8, code=0, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.035: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, input feature
Oct 22 18:45:23.035: ICMP type=8, code=0, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, input feature
Oct 22 18:45:23.039: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, input feature
Oct 22 18:45:23.039: ICMP type=8, code=0, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 172.1.0.6 dst 172.1.0.8
Oct 22 18:45:23.039: FIBfwd-proc: Default:172.1.0.8/32 receive entry
Oct 22 18:45:23.039: FIBipv4-packet-proc: packet routing failed
Oct 22 18:45:23.039: IP: tableid=0, s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8 (GigabitEthernet0/1), routed via RIB
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=8, code=0, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=8, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8 (GigabitEthernet0/1), len 62, rcvd 3
Oct 22 18:45:23.039: ICMP type=8, code=0
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, stop process pak for forus packet
Oct 22 18:45:23.039: ICMP type=8, code=0
Oct 22 18:45:23.039: IP: s=172.1.0.6 (GigabitEthernet0/1), d=172.1.0.8, len 62, enqueue feature
Oct 22 18:45:23.039: ICMP type=8, code=0, Firewall(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6, len 62, local feature
Oct 22 18:45:23.039: ICMP type=0, code=0, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: FIBipv4-packet-proc: route packet from (local) src 172.1.0.8 dst 172.1.0.6
Oct 22 18:45:23.039: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.1.0.6
Oct 22 18:45:23.039: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, sending
Oct 22 18:45:23.039: ICMP type=0, code=0
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=0, code=0, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=0, code=0, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=0, code=0, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=0, code=0, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, output feature
Oct 22 18:45:23.039: ICMP type=0, code=0, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:23.039: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 62, sending full packet
Oct 22 18:45:23.039: ICMP type=0, code=0
Oct 22 18:45:26.755: IP: s=172.1.0.8 (local), d=172.1.0.6, len 56, local feature
Oct 22 18:45:26.755: ICMP type=3, code=3, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.755: FIBipv4-packet-proc: route packet from (local) src 172.1.0.8 dst 172.1.0.6
Oct 22 18:45:26.755: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.1.0.6
Oct 22 18:45:26.755: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:26.755: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending
Oct 22 18:45:26.755: ICMP type=3, code=3
Oct 22 18:45:26.755: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:26.755: ICMP type=3, code=3, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.755: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:26.755: ICMP type=3, code=3, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.755: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:26.759: ICMP type=3, code=3, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:26.759: ICMP type=3, code=3, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:26.759: ICMP type=3, code=3, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:26.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending full packet
Oct 22 18:45:26.759: ICMP type=3, code=3
Oct 22 18:45:28.755: IP: s=172.1.0.8 (local), d=172.1.0.6, len 56, local feature
Oct 22 18:45:28.759: ICMP type=3, code=3, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: FIBipv4-packet-proc: route packet from (local) src 172.1.0.8 dst 172.1.0.6
Oct 22 18:45:28.759: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.1.0.6
Oct 22 18:45:28.759: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending
Oct 22 18:45:28.759: ICMP type=3, code=3
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:28.759: ICMP type=3, code=3, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:28.759: ICMP type=3, code=3, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:28.759: ICMP type=3, code=3, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:28.759: ICMP type=3, code=3, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:28.759: ICMP type=3, code=3, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:28.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending full packet
Oct 22 18:45:28.759: ICMP type=3, code=3
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6, len 56, local feature
Oct 22 18:45:30.759: ICMP type=3, code=3, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: FIBipv4-packet-proc: route packet from (local) src 172.1.0.8 dst 172.1.0.6
Oct 22 18:45:30.759: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.1.0.6
Oct 22 18:45:30.759: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending
Oct 22 18:45:30.759: ICMP type=3, code=3
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:30.759: ICMP type=3, code=3, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:30.759: ICMP type=3, code=3, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:30.759: ICMP type=3, code=3, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:30.759: ICMP type=3, code=3, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:30.759: ICMP type=3, code=3, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:30.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending full packet
Oct 22 18:45:30.759: ICMP type=3, code=3
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6, len 56, local feature
Oct 22 18:45:32.759: ICMP type=3, code=3, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: FIBipv4-packet-proc: route packet from (local) src 172.1.0.8 dst 172.1.0.6
Oct 22 18:45:32.759: FIBfwd-proc: packet routed by adj to GigabitEthernet0/1 172.1.0.6
Oct 22 18:45:32.759: FIBipv4-packet-proc: packet routing succeeded
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending
Oct 22 18:45:32.759: ICMP type=3, code=3
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:32.759: ICMP type=3, code=3, NAT Inside(8), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:32.759: ICMP type=3, code=3, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:32.759: ICMP type=3, code=3, Firewall (NAT)(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:32.759: ICMP type=3, code=3, Firewall (inspect)(48), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, output feature
Oct 22 18:45:32.759: ICMP type=3, code=3, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 22 18:45:32.759: IP: s=172.1.0.8 (local), d=172.1.0.6 (GigabitEthernet0/1), len 56, sending full packet
Oct 22 18:45:32.759: ICMP type=3, code=3
Message was edited by: Scott Dowsett
10-22-2012 12:03 PM
Hello Alain,
Apologies for the end part of the log, I attempted to santize it as much as possible so it had relevant information.
I dont know if this also helps,
For my static ports that I have opened and redirected, they wont function either. Only ports I can get to the router publicly are the ports used to manage the router itself. (telnet, ssh) Other ports are not responding when I try to connect via them, that is why originally I though it was NAT issues...
Thanks for your help!
10-23-2012 12:14 AM
Sorry I wrote and deleted a post. I think you need to simplify your issue here. Remove the ACLs from the Gig 0/0 interface completely temporarily and try again. If it still isn't working.... definitely not an ACL issue.
As for NAT, the config looks pretty normal to me. You could try remove the global overload NAT statement and then the interface Gig 0/0 nat statement.... then try and ping the next-hop.
With NAT and ACLs out of the picture there should be nothing stopping you from pinging the next hop except for the next-hop itself. Never dismiss the fact that some devices don't respond to ICMP (ping) messages! Ping is not always a valid test!
If in doubt, get approval from whoever, then run the following commands which will schedule the router to reboot in 10mins to the original config:
copy run start
reload in 10
conf t
no ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
int gig 0/0
no ip access-group OUTSIDE_IN in
no ip nat outside
end
ping 10.0.0.2
If the ping works then it is definitely ACLs/NAT. To rollback changes without rebooting:
conf t
int gig 0/0
ip access-group OUTSIDE_IN in
ip nat outside
ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
end
reload cancel
Good luck.
10-23-2012 10:45 AM
Thank you kind sir!
I took your suggestion about the speed and set it to 100mbits and boom things started to behave.
I built the configuration from the ground up again to eliminate anything else.
So thank you for your insight and suggestion, helped me figure it out!
Now all I need to do is get my static NAT maps to function, any suggestions as to that?
Does using route-map for NAT affect the
ip nat inside source static tcp
entries? Or will I have to build a different way of doing so?
I would like to thank you for your help, and if you got any other suggestions on the NAT ports please let me know
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide