cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3998
Views
0
Helpful
18
Replies

IP NAT OUTSIDE

engineer_msu
Level 1
Level 1

Dears, I am not able to ping the intreface when I applied the NAT command to the interface. When we remove the NAT command we are able to reach the interface.

There is no change in Configuration and this happend all of a sudden.

Below is NAT and Interface configuration.

interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map ASD-Dubai

ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
ip route 0.0.0.0 0.0.0.0 194.170.167.185

access-list 101 deny ip 172.17.5.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.104.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 172.17.5.0 0.0.0.255 any
access-list 101 permit ip 172.17.6.0 0.0.0.255 any
access-list 101 permit ip any any

18 Replies 18

We are using this interface 'interface GigabitEthernet0/0.94' to use the IP range in NAT pool which is this range of public IPs, but the point to point interface with Provider is G0/2

NAT Translations I will provide once the onsite engineer visit the site and we are not able to access the Router remotely

engineer_msu
Level 1
Level 1

Dears, I suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'

I am arranging the onsite engineer to visit the site, I will remove this entry and then will update the discussion. There is no issue with any other configuration. The configuration is designed very carefully to cater the requirment at this site.

the Public IPs in the NAT pool are routable through the Intreface G0/2, hence there is no need to any gateway for the Public IPs configured in Pool.

I will update the discussion once I remove the ACL entry.

Hello

There is no change in Configuration and this happend all of a sudden.

now


suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'

When we remove the NAT command we are able to reach the interface.

So as I stated in my previous post and have others - your configuration doesn't look viable, and some of those entry's I have already outlined for you.

Another thing I have noticed  from the config file you attached-

int gig0/0
ip nat inside

int gig0/0.57
ip nat outside

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

engineer_msu
Level 1
Level 1

The issue was because of the ACL entry 'any any' in ACL 101. The Interface IP was getting natted because of this ACL entry.

I removed the ACL entry and the things started working fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: