cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1625
Views
0
Helpful
18
Replies
engineer_msu
Beginner

IP NAT OUTSIDE

Dears, I am not able to ping the intreface when I applied the NAT command to the interface. When we remove the NAT command we are able to reach the interface.

There is no change in Configuration and this happend all of a sudden.

Below is NAT and Interface configuration.

interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map ASD-Dubai

ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
ip route 0.0.0.0 0.0.0.0 194.170.167.185

access-list 101 deny ip 172.17.5.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.104.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 172.17.5.0 0.0.0.255 any
access-list 101 permit ip 172.17.6.0 0.0.0.255 any
access-list 101 permit ip any any

18 REPLIES 18

We are using this interface 'interface GigabitEthernet0/0.94' to use the IP range in NAT pool which is this range of public IPs, but the point to point interface with Provider is G0/2

NAT Translations I will provide once the onsite engineer visit the site and we are not able to access the Router remotely

engineer_msu
Beginner

Dears, I suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'

I am arranging the onsite engineer to visit the site, I will remove this entry and then will update the discussion. There is no issue with any other configuration. The configuration is designed very carefully to cater the requirment at this site.

the Public IPs in the NAT pool are routable through the Intreface G0/2, hence there is no need to any gateway for the Public IPs configured in Pool.

I will update the discussion once I remove the ACL entry.

Hello

There is no change in Configuration and this happend all of a sudden.

now


suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'

When we remove the NAT command we are able to reach the interface.

So as I stated in my previous post and have others - your configuration doesn't look viable, and some of those entry's I have already outlined for you.

Another thing I have noticed  from the config file you attached-

int gig0/0
ip nat inside

int gig0/0.57
ip nat outside

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
engineer_msu
Beginner

The issue was because of the ACL entry 'any any' in ACL 101. The Interface IP was getting natted because of this ACL entry.

I removed the ACL entry and the things started working fine.