09-28-2021 11:56 PM
Hello Folks,
I have a router ISR 4431 with built-in interfaces and NIM-ES2-8-P Cisco 8-Port Gigabit Ethernet Switch.
The problem is with nat translation for fo vlan 55 and vlan 66. I can ping from computers in 192.168.66.0/24 or 192.168.55.0/24 to 192.168.1.0/24 and vice versa.
I can ping from 192.168.66.0/24 or 192.168.55.0/24 to outside interface address 99.99.99.210 without any problem.
Problem is can't access Internet from 192.168.66.0/24 or 192.168.55.0/24.
Strange thing i can see transtations in nat table but no packet outgoing to Internet
sh ip nat trans | inc 192.168.66.10
tcp 99.99.99.210:12690 192.168.66.10:49571 40.126.31.139:443 40.126.31.139:443
tcp 99.99.99.210:12105 192.168.66.10:49579 178.255.155.167:443 178.255.155.167:443
tcp 99.99.99.210:11436 192.168.66.10:3389 194.61.24.62:53437 194.61.24.62:53437
tcp 99.99.99.210:12114 192.168.66.10:49580 217.146.21.137:443 217.146.21.137:443
tcp 99.99.99.210:11033 192.168.66.10:49588 213.227.185.137:80 213.227.185.137:80
tcp 99.99.99.210:13609 192.168.66.10:49585 192.168.0.12:502 192.168.0.12:502
icmp 99.99.99.210:5 192.168.66.10:3 8.8.8.8:3 8.8.8.8:5
tcp 99.99.99.210:12151 192.168.66.10:49590 188.172.219.147:80 188.172.219.147:80
What is wrong with my config?
Intefaces configuration:
WAN side
interface GigabitEthernet0/0/0
description WAN
ip address 99.99.99.210 255.255.255.252
ip nat outside
ip nbar protocol-discovery
ip access-group 130 in
zone-member security out-zone
negotiation auto
crypto map VPN-SAP-TO-GERMANY
spanning-tree portfast disable
LAN side
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
ip access-group 171 in
zone-member security in-zone
ip policy route-map Gig0/0-IN
negotiation auto
spanning-tree portfast disable
interface GigabitEthernet0/1/0
switchport mode trunk
interface Vlan55
ip address 192.168.55.1 255.255.255.0
ip nat inside
zone-member security in-zone
!
interface Vlan66
ip address 192.168.66.1 255.255.255.0
ip nat inside
ip access-group 171 in
zone-member security in-zone
ip virtual-reassembly
NAT
ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload
route-map NAT_ISP1 permit 10
match ip address 151
match interface GigabitEthernet0/0/0
access-list 151 deny ip host 192.168.1.27 10.10.80.0 0.0.0.255
access-list 151 deny ip 192.168.1.0 0.0.0.255 10.10.80.0 0.0.0.255
access-list 151 permit ip 192.168.1.0 0.0.0.255 any
access-list 151 permit ip 192.168.2.0 0.0.0.255 any
access-list 151 permit ip 192.168.66.0 0.0.0.255 any
access-list 151 deny ip any any
Solved! Go to Solution.
09-30-2021 11:23 PM
Hi Seb,
i'm getting blinde, My zbf rules blocked traffic from vlan's subnets.
I was sure that is problem with NAT and i focused on it. Thanks for kicked my mind on other way.
Best regards
Mac.
09-29-2021 02:48 AM
Hi there,
Can you share the configuration for ACL 130 and also your ZBF?
cheers,
Seb.
09-30-2021 11:23 PM
Hi Seb,
i'm getting blinde, My zbf rules blocked traffic from vlan's subnets.
I was sure that is problem with NAT and i focused on it. Thanks for kicked my mind on other way.
Best regards
Mac.
09-29-2021 06:01 AM
Hello,
a zone based firewall and access lists applied to interfaces that are member of a security zone do not work well together. I would suggest to remove all access lists from all interfaces. And, as Sep said, post the full running config of your router...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide