08-06-2017 06:28 AM - edited 03-05-2019 08:57 AM
Dears, I am not able to ping the intreface when I applied the NAT command to the interface. When we remove the NAT command we are able to reach the interface.
There is no change in Configuration and this happend all of a sudden.
Below is NAT and Interface configuration.
interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map ASD-Dubai
ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
ip route 0.0.0.0 0.0.0.0 194.170.167.185
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.17.32.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 deny ip 172.17.10.0 0.0.0.255 172.20.104.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.22.1.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.19.25.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 192.151.106.0 0.0.0.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 172.17.5.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 172.17.5.0 0.0.0.255 any
access-list 101 permit ip 172.17.6.0 0.0.0.255 any
access-list 101 permit ip any any
08-06-2017 08:16 AM
Hello,
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
and
interface GigabitEthernet0/2
ip address x.x.x.x 255.255.255.252
ip nat outside
don't make sense.
Post the full config of the router. Is whatever you have in the crypto map excluded from NAT ?
08-06-2017 09:18 AM
08-06-2017 09:35 AM
Hello,
What are you sending to GigabitEthernet0/2 to be NATted ? I cannot see anything in your configuration that requires GigabitEthernet0/2 to be a NAT outside interface...or am I missing something ?
08-06-2017 09:37 AM
This is for the Internet Traffic, users will go to internet directly, this interface is facing to ISP
08-06-2017 09:42 AM
Hello,
what part of your configuration defines the NAT traffic for GigabitEthernet0/2 ?
None of these statements relate to GigabitEthernet0/2:
ip nat pool pool y.y.y.18 y.y.y.20 netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
Or are you sending all traffic through the tunnel to be NATted and is the ISP connection at the other end of the tunnel ?
08-06-2017 09:46 AM
NAT configuration for this intreface is as below
ip nat pool pool y.y.y.18 y.y.y.20 netmask 255.255.255.248
ip nat inside source list 101 pool pool overload
we have IPSec tunnel configured with this interface, the IPsec is also down when we applie IP NAT OUTSIDE, it was working very much normal and the issue came yesterday all of a sudden, there was no change in configuration. The IP at this interface was pingable over internet, now we are not able to ping this interface when NAT is applied.
08-06-2017 09:53 AM
Hello,
so:
interface GigabitEthernet0/2
ip address x.x.x.186 255.255.255.252
The IP address of this interface needs to be in the same range as the pool you have configured. So it has to be something similar to:
y.y.y.18 y.y.y.20 netmask 255.255.255.248
in that range. Check if somebody changed the IP address of GigabitEthernet0/2. It currently has a /30 mask.
08-06-2017 09:57 AM
The IP address on the interface is since years, no change in IP
the Interface IP and the NAT Pool IPs are both public IPs, so no need for them to be in same range, they both belong to same ISP.
08-06-2017 12:08 PM
Hello,
even if both the IP address of GigabiEthernet0/2 and the public IP addresses in the pool are provided by the same ISP, the pool addresses need a default gateway, which is the IP address of GigabitEthernet0/2. How are you routing the pool addresses otherwise ?
Have a look at Paul's post as well, there are numerous issues with your configuration. Maybe it helps if you post a schematic drawing of your network so that we can see what is connected to what...
08-06-2017 09:58 AM
It seems there is some BUG in IOS, I will try to upgrade the IOS and will check if that help.
08-06-2017 09:36 AM
Is there any BUG in this IOS version
c2900-universalk9-mz.SPA.155-3.M3.bin
08-06-2017 10:58 AM
Hello
1) your nat pool has a different subnet mask then your wan interface
2) remove ip any any from Acl 101
ip nat pool pool y.y.y.y y.y.y.y netmask 255.255.255.248
ip nat inside source list 101 pool pool overload. - SEE above
ip nat inside source list DANON interface GigabitEthernet0/0.57 overload. - THIS IS referencing the wrong interface or nat is applied to the wrong interface
ip nat inside source static 172.17.5.200 10.14.57.200 route-map NAT
--- don't see the route map relating to this statement
ip route 0.0.0.0 0.0.0.0 194.170.167.185 - - Is this a recursive default as it doesn't t Match your wan interface address
res
paul
08-06-2017 12:16 PM
Hi,
The NAT Pool and Interface has same subnet mask that is /29
Interface is Gi0/0.94 for which the given range of Public IPs are configured. The intreface G0/2 is Point to Point intreface between ISP and Our Router.
For Danon, there is a separate ACL, when users tries to access DANON site, they are natted to this intreface.
Regarding ACL 101 any any entry I will remove it tomorrow and update the discussion
08-06-2017 12:59 PM
Hello,
interface GigabitEthernet0/0.94
encapsulation dot1Q 94
ip address y.y.y.17 255.255.255.248
There is no NAT configuration here. I am lost...
Either way, your original question was why the interface cannot be pinged when you apply 'ip nat outside'. Can you post the output of 'sh ip nat translations' ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide