IP NAT OUTSIDE

engineer_msu · ‎08-06-2017

Dears, I am not able to ping the intreface when I applied the NAT command to the interface. When we remove the NAT command we are able to reach the interface.

There is no change in Configuration and this happend all of a sudden.

Below is NAT and Interface configuration.

interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map ASD-Dubai

ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
ip route 0.0.0.0 0.0.0.0 194.170.167.185

access-list 101 deny ip 172.17.5.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.104.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 172.17.5.0 0.0.0.255 any
access-list 101 permit ip 172.17.6.0 0.0.0.255 any
access-list 101 permit ip any any

Georg Pauwen · ‎08-06-2017

Hello,

ip nat inside source list DANON interface GigabitEthernet0/0.57 overload

and

interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside

don't make sense.

Post the full config of the router. Is whatever you have in the crypto map excluded from NAT ?

engineer_msu · ‎08-06-2017

Hi Georg, From this Router we have two IPSec tunnels, one is going to remote site intranet. the things were fine till tomorrow and now we are facing this issue, we have not made any change to the Router. attached is the configuration.

Georg Pauwen · ‎08-06-2017

Hello,

What are you sending to GigabitEthernet0/2 to be NATted ? I cannot see anything in your configuration that requires GigabitEthernet0/2 to be a NAT outside interface...or am I missing something ?

engineer_msu · ‎08-06-2017

This is for the Internet Traffic, users will go to internet directly, this interface is facing to ISP

Georg Pauwen · ‎08-06-2017

Hello,

what part of your configuration defines the NAT traffic for GigabitEthernet0/2 ?

None of these statements relate to GigabitEthernet0/2:

ip nat pool pool y.y.y.18 y.y.y.20 netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT

Or are you sending all traffic through the tunnel to be NATted and is the ISP connection at the other end of the tunnel ?

engineer_msu · ‎08-06-2017

NAT configuration for this intreface is as below

ip nat pool pool y.y.y.18 y.y.y.20 netmask 255.255.255.248
ip nat inside source list 101 pool pool overload

we have IPSec tunnel configured with this interface, the IPsec is also down when we applie IP NAT OUTSIDE, it was working very much normal and the issue came yesterday all of a sudden, there was no change in configuration. The IP at this interface was pingable over internet, now we are not able to ping this interface when NAT is applied.

Georg Pauwen · ‎08-06-2017

Hello,

so:

interface GigabitEthernet0/2
ip address x.x.x.186 255.255.255.252

The IP address of this interface needs to be in the same range as the pool you have configured. So it has to be something similar to:

y.y.y.18 y.y.y.20 netmask 255.255.255.248

in that range. Check if somebody changed the IP address of GigabitEthernet0/2. It currently has a /30 mask.

engineer_msu · ‎08-06-2017

The IP address on the interface is since years, no change in IP

the Interface IP and the NAT Pool IPs are both public IPs, so no need for them to be in same range, they both belong to same ISP.

Georg Pauwen · ‎08-06-2017

Hello,

even if both the IP address of GigabiEthernet0/2 and the public IP addresses in the pool are provided by the same ISP, the pool addresses need a default gateway, which is the IP address of GigabitEthernet0/2. How are you routing the pool addresses otherwise ?

Have a look at Paul's post as well, there are numerous issues with your configuration. Maybe it helps if you post a schematic drawing of your network so that we can see what is connected to what...

engineer_msu · ‎08-06-2017

It seems there is some BUG in IOS, I will try to upgrade the IOS and will check if that help.

engineer_msu · ‎08-06-2017

Is there any BUG in this IOS version

c2900-universalk9-mz.SPA.155-3.M3.bin

paul driver · ‎08-06-2017

Hello

1) your nat pool has a different subnet mask then your wan interface

2) remove ip any any from Acl 101

ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload. - SEE above

ip nat inside source list DANON interface GigabitEthernet0/0.57 overload. - THIS IS referencing the wrong interface or nat is applied to the wrong interface

ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT

--- don't see the route map relating to this statement

ip route 0.0.0.0 0.0.0.0 194.170.167.185 - - Is this a recursive default as it doesn't t Match your wan interface address

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

engineer_msu · ‎08-06-2017

Hi,

The NAT Pool and Interface has same subnet mask that is /29

Interface is Gi0/0.94 for which the given range of Public IPs are configured. The intreface G0/2 is Point to Point intreface between ISP and Our Router.

For Danon, there is a separate ACL, when users tries to access DANON site, they are natted to this intreface.

Regarding ACL 101 any any entry I will remove it tomorrow and update the discussion

Georg Pauwen · ‎08-06-2017

Hello,

interface GigabitEthernet0/0.94
encapsulation dot1Q 94
ip address y.y.y.17 255.255.255.248

There is no NAT configuration here. I am lost...

Either way, your original question was why the interface cannot be pinged when you apply 'ip nat outside'. Can you post the output of 'sh ip nat translations' ?