08-06-2017 06:28 AM - edited 03-05-2019 08:57 AM
Dears, I am not able to ping the intreface when I applied the NAT command to the interface. When we remove the NAT command we are able to reach the interface.
There is no change in Configuration and this happend all of a sudden.
Below is NAT and Interface configuration.
interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map ASD-Dubai
ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
ip route 0.0.0.0 0.0.0.0 194.170.167.185
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.104.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 172.17.5.0 0.0.0.255 any
access-list 101 permit ip 172.17.6.0 0.0.0.255 any
access-list 101 permit ip any any
08-06-2017 10:47 PM
We are using this interface 'interface GigabitEthernet0/0.94' to use the IP range in NAT pool which is this range of public IPs, but the point to point interface with Provider is G0/2
NAT Translations I will provide once the onsite engineer visit the site and we are not able to access the Router remotely
08-06-2017 10:59 PM
Dears, I suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'
I am arranging the onsite engineer to visit the site, I will remove this entry and then will update the discussion. There is no issue with any other configuration. The configuration is designed very carefully to cater the requirment at this site.
the Public IPs in the NAT pool are routable through the Intreface G0/2, hence there is no need to any gateway for the Public IPs configured in Pool.
I will update the discussion once I remove the ACL entry.
08-07-2017 02:24 AM
Hello
There is no change in Configuration and this happend all of a sudden.
now
suspect the issue is because of the ACL Entry 'access-list 101 permit ip any any'
When we remove the NAT command we are able to reach the interface.
So as I stated in my previous post and have others - your configuration doesn't look viable, and some of those entry's I have already outlined for you.
Another thing I have noticed from the config file you attached-
int gig0/0
ip nat inside
int gig0/0.57
ip nat outside
res
Paul
08-08-2017 04:25 AM
The issue was because of the ACL entry 'any any' in ACL 101. The Interface IP was getting natted because of this ACL entry.
I removed the ACL entry and the things started working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide