cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9013
Views
5
Helpful
16
Replies

LAB: Unable to ping internally

Vking02
Level 1
Level 1

Hi Team, 

 

Hope someone can assist me.

 

I currently have a EVE-NG lab I am trying to complete, but having issues.

I am unable to ping the inside interface on a Cisco device from my Home network. 

I have a static route on my home route pointing to the subnet (192.168.11.x/28) in question (see Image cisco1 for static route)

 

This is the config of the cisco device

 

interface GigabitEthernet0/0
ip address 192.168.11.2 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45

 

================


ip nat inside source list 11 interface GigabitEthernet0/3 overload
!
!
!
access-list 11 permit 192.168.11.0 0.0.0.15
access-list 11 permit 192.168.22.0 0.0.0.255
access-list 11 permit 192.168.33.0 0.0.0.255
access-list 11 permit 192.168.44.0 0.0.0.255
access-list 11 permit 192.168.55.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
!
control-plane

===========


Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.11.2 YES NVRAM up up >>>> points to a FW
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/3 172.16.10.24 YES DHCP up up <<<< points to ISP router
NVI0 192.168.11.2 YES unset up up

 

=============

 

What is confusing me is, I am able to ping from the FW outside interface (192.168.11.3) to 8.8.8.8 fine


admin@PA-VM> ping source 192.168.11.3 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.11.3 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=19.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=14.1 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=14.6 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss,

 

This is the network design - see attached image, cisco2

 

What am i missing and where am i going wrong? 

 

Thank you in advance.

 

 
 

 

1 Accepted Solution

Accepted Solutions

Hello

The nat satement is incorrect it should be a an ip address that is free and NOT the cisco rtr public wan interface ip.

 

no access-list 11

access-list 11 deny host 192.168.11.3 
access-list 11 permit 192.168.11.0 0.0.0.15
access-list 11 permit 192.168.22.0 0.0.0.255
access-list 11 permit 192.168.33.0 0.0.0.255
access-list 11 permit 192.168.44.0 0.0.0.255
access-list 11 permit 192.168.55.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
access-list 11 permit 192.168.11.0 0.0.0.255
no ip nat inside source static 192.168.11.3 172.16.10.24
ip nat inside source static 192.168.11.3 172.16.10.X

 

Then from your pc test ping 172.16.10.X


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

16 Replies 16

balaji.bandi
Hall of Fame
Hall of Fame

You can not ping, since it was NATed on your vIOS Router.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for replying.

 

What can i do to reach the Outside interface on the FW? (192.168.11.3)

Hello,

 

--> I am unable to ping the inside interface on a Cisco device from my Home network.

--> What can i do to reach the Outside interface on the FW? (192.168.11.3)

 

Which IP address can you not ping ? 192.168.11.2 or 192.168.11.3, or both ? If you cannot ping 192.168.11.3 (the firewall) the reason is most likely that the Palo Alto does not allow ICMP...

Hi, 

 

For the purpose of this LAB, ICMP is allowed on the outside interface of the FW

 
 

But, still cannot find the interface.

I am unable to reach anything past the Cisco Outside interface (172.16.10.24)

 

I ran a debug on the router and this is what I am seeing every time i am pinging..

 

*Oct 22 16:53:17.971: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.973: ICMP type=8, code=0, Common Flow Table(5), rtype 0, fo rus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.975: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.976: ICMP type=8, code=0, Stateful Inspection(8), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.978: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.979: ICMP type=8, code=0, Virtual Fragment Reassembly(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.981: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.983: ICMP type=8, code=0, Virtual Fragment Reassembly After IPSec Decryption(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.985: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.987: ICMP type=8, code=0, NAT Outside(92), rtype 0, forus F ALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.988: IP: s=172.16.10.26 (GigabitEthernet0/3), d=192.168.11.2, l en 60, input feature
*Oct 22 16:53:17.990: ICMP type=8, code=0, MCI Check(109), rtype 0, forus FA LSE, sendself FALSE, mtu 0, fwdchk FALSE
*Oct 22 16:53:17.992: FIBipv4-packet-proc: route packet from GigabitEthernet0/3 src 172.16.10.26 dst 192.168.11.2
*Oct 22 16:53:17.993: FIBfwd-proc: Default:192.168.11.2/32 receive entry
*Oct 22 16:53:17.994: FIBipv4-packet-proc: packet routing failed <<<< 

Hello,

 

odd. I lab tested your setup and can ping anything from 172.16.10.x.

 

What device is 172.16.10.26 ?

Hello
where are you trying to ping from what is the source - is it from the wan addressing?

Note: The outside interface of the PA is attached to the inside interface of the cisco wan rtr which is being natted so in theory from the PA perspective that is a public address however unless you have a specific 1-1 static nat statement for the PAs outside interface ip address you won’t be able to initiate a icmp from any wan rtr outside address 
example:

ip nat inside source static 192.168.11.3 172.16.10 x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi, 

 

Thank you for your response.

I added the 1-1 natting but ping did not work. 

 

InternetRouter#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 172.16.10.24 192.168.11.3 --- ---

 

PA does have NAT enabled - see Capture1.PNG.

 

I am pinging from the 172.16.10.0 network, which is a home network.

 

Public Internet > 172.16.10.0 Network > 192.168.11.0/28 Network. 

- I am trying to ping from the 172.16.10.26 network to the 192.168.11.2 (rtr) and 3 (PA) network.

 

Can you tell me why the traffic generated from the 192.168.11.0 network is able to get to the internet, but i am unable to get to the outside interface from the 172.16... address.

 

admin@PA-VM> ping source 192.168.11.3 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.11.3 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=25.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=16.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=20.6 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=116 time=18.9 ms
c64 bytes from 8.8.8.8: icmp_seq=6 ttl=116 time=22.9 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5005ms
rtt min/avg/max/mdev = 13.747/19.662/25.411/3.901 ms


admin@PA-VM> traceroute source 192.168.11.3 host 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.11.2 (192.168.11.2) 105.324 ms 123.012 ms 112.008 ms
2 172.16.10.10 (172.16.10.10) 94.418 ms 81.032 ms 87.436 ms
3 * * 

Able to reach public domain from here

 

I am also able to reach the public space from behind the router

min@PA-VM> ping source 192.168.22.10 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.22.10 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=20.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=13.7 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 13.772/17.321/20.870/3.549 ms..

 

I am trying to reach the FW outside (192.168.11.3) interface for management purposes from the 172.16.10.0/24 network.

Currently within EVE-NG, I have a Win7 machine which I use for mgmt purposes. I am trying to avoid using this for resourcing reasons.

 

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e578:f0d8:478b:b446%2
IPv4 Address. . . . . . . . . . . : 172.16.10.26
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.10.10

 

:\Users\Admin>ping 192.168.11.2

Pinging 192.168.11.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.11.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

On the rtr

InternetRouter#
*Oct 24 21:21:25.063: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:29.877: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:34.825: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0
*Oct 24 21:21:39.800: ICMP: echo reply sent, src 192.168.11.2, dst 172.16.10.26, topology BASE, dscp 0 topoid 0

 

I tried to ping 192.168.11.3 but I cannot see any traffic being generated on the rtr as like above.


===========

 

ip nat inside source list 11 interface GigabitEthernet0/3 overload
ip nat inside source static 192.168.11.3 172.16.10.24
!
!
!
access-list 11 permit 192.168.11.0 0.0.0.15
access-list 11 permit 192.168.22.0 0.0.0.255
access-list 11 permit 192.168.33.0 0.0.0.255
access-list 11 permit 192.168.44.0 0.0.0.255
access-list 11 permit 192.168.55.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
access-list 11 permit 192.168.11.0 0.0.0.255
!

 

Sorry, not the best at NAT.

 

Thank you in advance

 

 

 

Hello

The nat satement is incorrect it should be a an ip address that is free and NOT the cisco rtr public wan interface ip.

 

no access-list 11

access-list 11 deny host 192.168.11.3 
access-list 11 permit 192.168.11.0 0.0.0.15
access-list 11 permit 192.168.22.0 0.0.0.255
access-list 11 permit 192.168.33.0 0.0.0.255
access-list 11 permit 192.168.44.0 0.0.0.255
access-list 11 permit 192.168.55.0 0.0.0.255
access-list 11 permit 192.168.66.0 0.0.0.255
access-list 11 permit 192.168.11.0 0.0.0.255
no ip nat inside source static 192.168.11.3 172.16.10.24
ip nat inside source static 192.168.11.3 172.16.10.X

 

Then from your pc test ping 172.16.10.X


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Many thanks, this has resolved the issue.

 

Can I just ask why include this:

access-list 11 deny host 192.168.11.3 

 

Thank you

Hello

As you have a specifc static nat statement for that host then you want it not to be included in the general port translation access-list so its denied.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hi,

 

can you do treceroute on your home router for 192.168.11.2?

 

br

Hi, 

 

I am unable to get past the GW, even though there is a router within the router to the 192.168.11.0 network

-S~ 192.168.11.0/ 255.255.255.240 via 172.16.10.24 LAN1

 

GigabitEthernet0/3 172.16.10.24 YES DHCP up up

 

C:\Users\Admin>tracert 192.168.11.2

Tracing route to 192.168.11.2 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 172.16.10.10
2 * * * Request timed out.
3 * * * Request timed out.
4 * * ^C

 

Thank you

how does you routing table looks like? Are you sure that it has entry for 192.168.11.0 pointing to 172.16.10.24? And do you mybe have clasfull routing turned on?

Hello
fyi @DraganSkundric87318 192.168.11.0/24 is the hidden network so it won’t be reachable directly it’s being natted 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul