Solved: Cisco/ISR/NAT works weird

maxnetstat · ‎08-28-2023

Hi!
I set up Cisco

NAT

and it works weird...
Ping through

NAT

works, but ports are not available, although the broadcast is on:

ip nat translation:

tcp xx.xx.xx.55:56666 10.10.0.25:56666 172.16.0.100:888 172.16.0.100:888
icmp xx.xx.xx.55:35 10.10.0.25:35 172.16.0.100:35 172.16.0.100:35

Ping from 10.10.0.25 (OK):

ping 172.16.0.100 -c 10
...
--- 172.16.0.100 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9033ms
rtt min/avg/max/mdev = 9.403/13.048/40.397/9.670 ms

But TCP ports on 172.16.0.100 are not available.
For the telnet example from 10.10.0.25:
telnet 172.16.0.100 888
No answer...
no requests from 10.10.0.25 on side 172.16.0.100.
There are no restrictions on either side.

Config:

ip nat pool pool-dc xx.xx.xx.55 xx.xx.xx.55 netmask 255.255.255.0
ip nat inside source list acl-dc pool pool-dc overload

ip access-list extended acl-dc
permit ip host 10.10.0.15 host 172.16.0.100
permit ip host 10.10.0.20 host 172.16.0.100
permit ip host 10.10.0.25 host 172.16.0.100

maxnetstat · ‎08-28-2023

Solved!
this scheme works through a crypto map and in the linked acl it was:

permit tcp host xx.xx.xx.55 host 172.16.0.100

permit ip host xx.xx.xx.55 host 172.16.0.100

I removed TCP, and everything worked

View solution in original post

maxnetstat · ‎08-28-2023

Solved!
this scheme works through a crypto map and in the linked acl it was:

permit tcp host xx.xx.xx.55 host 172.16.0.100

permit ip host xx.xx.xx.55 host 172.16.0.100

I removed TCP, and everything worked