Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2200
Views
5
Helpful
15
Replies

Not able to ping my loopback from public IP.

Beast6
Level 1
Level 1

‎04-03-2019 01:53 PM 

interface Loopback6
ip address X.X.X.62 255.255.255.255


Router#sh ip access-lists
Extended IP access list 199
    10 deny tcp any any eq telnet
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22
    40 permit ip any any (52 matches)
Extended IP access list E_FW_INSIDE_TO_OUTSIDE_ACL_01
    10 permit ip 200.20.20.0 0.0.0.255 any log
    20 permit ip 200.20.21.0 0.0.0.255 any
    30 permit ip 200.20.22.0 0.0.0.255 any
    40 permit ip X.X.X.16 0.0.0.15 any
    50 permit ip X.X.X.32 0.0.0.15 any
    60 permit ip X.X.X.48 0.0.0.15 any
    70 permit ip X.X.X.64 0.0.0.15 any
    80 deny udp any any eq 10001 log
Extended IP access list E_FW_INSIDE_TO_SLF_ACL_02
    10 permit tcp any eq 22 any
    20 permit tcp any eq 22609 any
    30 permit udp host 10.10.2.2 any
    40 permit udp host 10.10.2.4 any
    50 permit ip host 10.40.1.250 any
    60 permit icmp host 57.216.254.148 any
    70 permit icmp host 57.216.254.145 any
    80 permit icmp host 57.209.227.205 any
    90 permit icmp host 57.209.227.206 any
    100 permit icmp host 10.10.2.1 any
    110 permit icmp 200.20.20.0 0.0.0.255 any
    120 permit icmp 200.20.21.0 0.0.0.255 any
    130 permit icmp 200.20.22.0 0.0.0.255 any
    140 permit udp 200.20.20.0 0.0.0.255 any
    150 permit udp 200.20.21.0 0.0.0.255 any
    160 permit udp 200.20.22.0 0.0.0.255 any
    170 permit udp 172.30.1.0 0.0.0.255 any
    180 permit tcp 172.30.1.0 0.0.0.255 any
    190 permit ospf host 172.16.8.2 host 172.16.8.1
    200 permit icmp host 172.16.8.2 host 172.16.8.1
    210 permit icmp host 172.16.8.2 10.10.7.0 0.0.0.255
    220 permit udp 172.16.8.0 0.0.0.255 any
    230 permit esp host 200.20.20.22 host 10.10.2.2
    240 permit icmp X.X.X.16 0.0.0.15 any
    250 permit icmp X.X.X.32 0.0.0.15 any
    260 permit icmp X.X.X.48 0.0.0.15 any
    270 permit icmp X.X.X.64 0.0.0.15 any
    280 permit udp X.X.X.16 0.0.0.15 any
    290 permit udp X.X.X.32 0.0.0.15 any
    300 permit udp X.X.X.48 0.0.0.15 any
    310 permit udp X.X.X.64 0.0.0.15 any
    320 permit ip host 10.10.2.1 any
    330 permit ospf host 172.16.7.2 host 172.16.7.1
    340 permit icmp host 172.16.7.2 host 172.16.7.1
    350 permit icmp host 172.16.7.2 10.10.7.0 0.0.0.255
    360 permit udp 172.16.7.0 0.0.0.255 any
    370 permit esp host 200.20.22.34 host 10.10.2.2
    380 permit icmp host 172.30.1.2 host 172.30.1.1
    390 permit icmp 10.10.5.0 0.0.0.255 any
Extended IP access list E_FW_OUTSIDE_TO_INSIDE_ACL_03
    10 permit tcp any eq 5060 any
    20 permit udp any eq 5060 any
    30 permit udp any range 1000 1100 any
    40 permit tcp any eq 465 any
    50 permit icmp host X.X.X.2 any
    60 permit ip host 206.16.60.70 200.20.20.0 0.0.0.255
    70 permit ip host 206.16.60.70 200.20.21.0 0.0.0.255
    80 permit ip host 206.16.60.70 200.20.22.0 0.0.0.255
    90 permit tcp host 54.84.182.84 200.20.20.0 0.0.0.255
    100 permit tcp host 54.84.182.84 200.20.21.0 0.0.0.255
    110 permit tcp host 54.84.182.84 200.20.22.0 0.0.0.255
    120 permit icmp host 72.198.133.5 any
    130 permit ip host 70.X.X.52 any
    140 permit ip host 50.58.27.183 any
    150 permit tcp host 72.215.150.212 200.20.22.0 0.0.0.255
    160 permit icmp host 72.215.150.212 any
    170 permit ip host 72.215.150.212 200.20.22.0 0.0.0.255
    180 permit udp any range 10002 20000 any
    190 permit ip host 12.109.9.58 200.20.21.0 0.0.0.255
    200 permit ip host 209.163.240.162 200.20.21.0 0.0.0.255
    210 permit ip host 166.166.130.13 200.20.21.0 0.0.0.255
    220 permit ip host 98.198.144.47 200.20.21.0 0.0.0.255
    230 permit ip host 12.35.94.3 200.20.21.0 0.0.0.255
    240 permit tcp host 12.109.9.58 200.20.21.0 0.0.0.255
    250 permit tcp host 209.163.240.162 200.20.21.0 0.0.0.255
    260 permit tcp host 166.166.130.13 200.20.21.0 0.0.0.255
    270 permit tcp host 98.198.144.47 200.20.21.0 0.0.0.255
    280 permit tcp host 12.35.94.3 200.20.21.0 0.0.0.255
    290 permit udp host 12.109.9.58 200.20.21.0 0.0.0.255 eq 37778
    300 permit udp host 209.163.240.162 200.20.21.0 0.0.0.255 eq 37778
    310 permit udp host 166.166.130.13 200.20.21.0 0.0.0.255 eq 37778
    320 permit udp host 98.198.144.47 200.20.21.0 0.0.0.255 eq 37778
    330 permit udp host 12.35.94.3 200.20.21.0 0.0.0.255 eq 37778
    340 permit tcp any range 37777 37778 any
    350 permit tcp host 12.109.9.58 200.20.21.0 0.0.0.255 eq www
    360 permit tcp host 209.163.240.162 200.20.21.0 0.0.0.255 eq www
    370 permit tcp host 166.166.130.13 200.20.21.0 0.0.0.255 eq www
    380 permit tcp host 98.198.144.47 200.20.21.0 0.0.0.255 eq www
    390 permit tcp host 12.35.94.3 200.20.21.0 0.0.0.255 eq www
    400 permit icmp host 209.163.240.162 200.20.21.0 0.0.0.255
Extended IP access list E_FW_OUTSIDE_TO_SLF_ACL_04
    5 permit icmp host 70.X.X.52 any
    10 permit ip host 70.X.X.52 any
    20 permit udp host 98.188.216.148 any
    30 permit udp host 70.188.92.119 eq isakmp any
    40 permit udp host 50.58.27.183 eq 5060 any
    50 permit tcp host 98.188.216.149 eq 8880 any
    60 permit tcp host 72.198.133.5 eq 8880 any
    70 permit tcp host 206.16.60.70 any
    80 permit ip host 70.188.92.119 any log
    90 permit icmp 70.188.92.0 0.0.0.255 any
    100 deny ip 200.20.20.0 0.0.0.255 any
    110 deny ip 200.20.21.0 0.0.0.255 any
    120 deny ip 200.20.22.0 0.0.0.255 any
    130 deny ip X.X.X.16 0.0.0.15 any
    140 deny ip X.X.X.32 0.0.0.15 any
    150 deny ip X.X.X.48 0.0.0.15 any
    160 deny ip X.X.X.64 0.0.0.15 any
    170 deny ip 10.96.1.0 0.0.0.255 any
    180 deny ip 10.0.0.0 0.255.255.255 any
    190 deny ip 192.168.0.0 0.0.255.255 any
    200 deny ip 224.0.0.0 31.255.255.255 any
    210 deny ip 127.0.0.0 0.255.255.255 any
    220 deny ip 169.254.0.0 0.0.255.255 any
    230 deny ip 77.0.0.0 0.255.255.255 any
    240 permit ip host X.X.X.3 any
    250 permit ip host X.X.X.2 any
    260 deny ip 172.16.0.0 0.15.255.255 any
Extended IP access list E_FW_SLF_TO_INSIDE_ACL_05
    10 permit tcp any eq 2222 any
    20 permit ip host 10.10.2.2 any
    30 permit ip host 10.10.2.4 any
    40 permit icmp host 172.16.8.1 10.10.4.0 0.0.0.255
    50 permit ip host 10.10.2.2 host 200.20.20.22
    60 permit ip host X.X.X.1 any
    70 permit ip host X.X.X.4 any
    80 permit ip host 172.30.1.1 host 172.30.1.2
    90 permit icmp host 172.16.7.1 10.10.5.0 0.0.0.255
    110 permit icmp host X.X.X.62 any
Extended IP access list E_FW_SLF_TO_OUTSIDE_ACL_06
    7 permit icmp any any
    10 permit tcp any eq 2222 any
    20 permit udp any eq snmp any
    30 permit ip host X.X.X.1 any
    40 permit ip host X.X.X.4 any
    50 permit icmp host 10.10.2.2 host 50.58.27.183
    60 permit icmp host 10.10.2.2 host 54.84.182.84
    70 permit icmp host 10.10.2.2 host 70.X.X.52
    80 permit icmp host 10.10.2.4 host 50.58.27.183
    90 permit icmp host 10.10.2.4 host 54.84.182.84
    100 permit icmp host 10.10.2.4 host 70.X.X.52
    110 permit icmp host 10.10.2.4 host 72.215.150.212
    120 deny udp any any eq 10001
Extended IP access list NAT_ACL
    10 permit ip X.X.X.16 0.0.0.15 any
    20 permit ip X.X.X.32 0.0.0.15 any
    30 permit ip X.X.X.48 0.0.0.15 any
    40 permit ip X.X.X.64 0.0.0.15 any
    50 permit ip 200.20.20.0 0.0.0.255 any
    60 permit ip 200.20.21.0 0.0.0.255 any
    70 permit ip 200.20.22.0 0.0.0.255 any

This is my loopback X.X.X.62/32 configured on my router.

I am trying to ping this loopback from 70.x.x.52 this is one of public IP, I want to allow ping to this IP.

 

Please advise what am I missing or what need to be done to achieve this.

 

Thanks.

Labels:
0 Helpful
15 Replies 15

Georg Pauwen
VIP
VIP

‎04-03-2019 02:17 PM

Hello,

 

post the full configuration of your router, or at the very least indicate which access lists are applied to the interface with the public IP address and the loopback interface...

0 Helpful

Beast6
Level 1
Level 1
In response to Georg Pauwen

‎04-04-2019 07:35 AM

I have posted the full configuration below. Please advise.

 

Thanks

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-04-2019 02:13 AM

Hi,

Share the full configuration and source IP of the Ping request.

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Beast6
Level 1
Level 1
In response to Deepak Kumar

‎04-04-2019 07:34 AM

Source 70.x.x.52-public IP.

200.20.20.x,200.20.21.x,200.20.22.x - these are my remote sites which are nated inside with a public IP assigned. Each remote has own public IP. These pool of public IP's are given to us to manage ourselves. 

In these public IP's X.X.X.62 is one of those, I have a request from the customer that he want to ping the public IP assigned to that remote from a monitoring tool which as public IO 70.x.x.52 so he can know that site is up or not.

 

Remote 200.20.21.142 - assigned public X.X.X.62.

We manage the public's so I mentioned it as loopback and I able to ping the IP from remote 200.20.21.142 but I want to allow ICMP to the requested public IP 70.x.x.52 for the customer.

 

Please advise and let me know if need more information.

Thanks.

parameter-map type inspect E_FW_GLOBAL_PARAMETER_MAP
 max-incomplete low 20000000
 max-incomplete high 20000000
 one-minute low 100000000
 one-minute high 100000000
 tcp max-incomplete host 100000 block-time 0
multilink bundle-name authenticated
!
!
!
!
cts logging verbose
license udi pid ISR4331/K9 sn FDO2146149C
!
spanning-tree extend system-id

!
redundancy
 mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
track 20 ip sla 20 reachability
!
track 25 ip sla 25 reachability
!
track 99 list boolean and
 object 20
 object 25
!
!
class-map type inspect match-any E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
 match access-group name E_FW_OUTSIDE_TO_SLF_ACL_04
class-map type inspect match-any E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
 match access-group name E_FW_SLF_TO_OUTSIDE_ACL_06
class-map type inspect match-all E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
 match access-group name E_FW_INSIDE_TO_OUTSIDE_ACL_01
class-map type inspect match-any E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
 match access-group name E_FW_OUTSIDE_TO_INSIDE_ACL_03
class-map type inspect match-any E_FW_INSIDE_TO_SLF_98_CLASS_MAP
 match access-group name E_FW_INSIDE_TO_SLF_ACL_02
class-map type inspect match-any E_FW_SLF_TO_INSIDE_98_CLASS_MAP
 match access-group name E_FW_SLF_TO_INSIDE_ACL_05
!
policy-map type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
 class type inspect E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
  inspect E_FW_GLOBAL_PARAMETER_MAP
 class class-default
  drop log
policy-map type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
 class type inspect E_FW_INSIDE_TO_SLF_98_CLASS_MAP
  pass
 class class-default
  drop log
policy-map type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
 class type inspect E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
  inspect E_FW_GLOBAL_PARAMETER_MAP
 class class-default
  drop log
policy-map type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
 class type inspect E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
  pass
 class class-default
  drop log
policy-map type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
 class type inspect E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
  pass
 class class-default
  drop log
policy-map type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
 class type inspect E_FW_SLF_TO_INSIDE_98_CLASS_MAP
  pass
 class class-default
  drop log
!
zone security E_FW_INSIDE_ZONE
 description --- CUSTOMER_ZONE_ACCESS_SECURITY_ZONE
zone security E_FW_OUTSIDE_ZONE
 description --- OUTSIDE ZONE_ACCESS_SECURITY_ZONE
zone-pair security E_FW_ZON_PAIR_INSIDE_TO_OUTSIDE source E_FW_INSIDE_ZONE destination E_FW_OUTSIDE_ZONE
 description --- CUSTOMER_ZONE_INTERNET_ACCESS_ZONE_PAIRING
 service-policy type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_INSIDE_TO_SLF source E_FW_INSIDE_ZONE destination self
 description --- Customer LAN to Router originated traffic
 service-policy type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_INSIDE source E_FW_OUTSIDE_ZONE destination E_FW_INSIDE_ZONE
 description --- OUTSIDE ZONE_INTERNET_ACCESS_ZONE_PAIRING
 service-policy type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_SLF source E_FW_OUTSIDE_ZONE destination self
 description --- Public internet to router originated traffic
 service-policy type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_INSIDE source self destination E_FW_INSIDE_ZONE
 description --- Router originated traffic to customer LAN
 service-policy type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_OUTSIDE source self destination E_FW_OUTSIDE_ZONE
 description --- Router to IPSN
 service-policy type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
!
!
!
!
interface Loopback1
 ip address 10.100.100.1 255.255.255.255
 zone-member security E_FW_INSIDE_ZONE
!
interface Loopback6
 ip address X.X.X.62 255.255.255.255
!
interface Tunnel0
 ip address 172.30.1.1 255.255.255.0
 zone-member security E_FW_INSIDE_ZONE
 ip ospf network point-to-point
 ip ospf mtu-ignore
 tunnel source X.X.X.1
 tunnel destination x.x.x.x
 tunnel protection ipsec profile BTCcisco20
!

interface GigabitEthernet0/0/0
 description Management_Interface
 no ip address
 ip nbar protocol-discovery
 zone-member security E_FW_INSIDE_ZONE
 negotiation auto
!
interface GigabitEthernet0/0/1
 description Orange_MPLS_10.10
 ip address 10.10.2.4 255.255.255.240
 ip nat inside
 zone-member security E_FW_INSIDE_ZONE
 negotiation auto
 vrrp 10 description MPLS_VRRP_MASTER
 vrrp 10 ip 10.10.2.2
 vrrp 10 timers advertise msec 300
 vrrp 10 preempt delay minimum 10
 vrrp 10 priority 110
 vrrp 10 track 99 decrement 20
 ip virtual-reassembly
!
interface GigabitEthernet0/0/2
 no ip address
 zone-member security E_FW_OUTSIDE_ZONE
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/2.700
 encapsulation dot1Q 700 native
 ip address X.X.X.4 255.255.255.240
 ip nat outside
 zone-member security E_FW_OUTSIDE_ZONE
 vrrp 15 description INTERNET_VRRP_MASTER
 vrrp 15 ip X.X.X.1
 vrrp 15 timers advertise msec 300
 vrrp 15 preempt delay minimum 10
 vrrp 15 priority 110
 vrrp 15 track 99 decrement 20
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown

!
ip nat inside source static tcp 200.20.20.114 port1 X.X.X.18 port1 extendable
ip nat inside source static tcp 200.20.20.114 port2 X.X.X.18 port2 extendable
ip nat inside source static udp 200.20.20.114 port2 X.X.X.18 port2 extendable
ip nat inside source static tcp 200.20.20.118 port1 X.X.X.19 port1 extendable
ip nat inside source static tcp 200.20.20.118 port2 X.X.X.19 port2 extendable
ip nat inside source static udp 200.20.20.118 port2 X.X.X.19 port2 extendable
ip nat inside source static tcp 200.20.20.122 port1 X.X.X.20 port1 extendable
ip nat inside source static tcp 200.20.20.122 port2 X.X.X.20 port2 extendable
ip nat inside source static udp 200.20.20.122 port2 X.X.X.20 port2 extendable
ip nat inside source static tcp 200.20.20.126 port1 X.X.X.21 port1 extendable
ip nat inside source static tcp 200.20.20.126 port2 X.X.X.21 port2 extendable
ip nat inside source static udp 200.20.20.126 port2 X.X.X.21 port2 extendable
ip nat inside source static tcp 200.20.22.66 port3 X.X.X.22 port3 extendable
ip nat inside source static tcp 200.20.22.66 port4 X.X.X.22 port4 extendable
ip nat inside source static tcp 200.20.22.66 9201 X.X.X.22 9201 extendable
ip nat inside source static tcp 200.20.22.50 port1 X.X.X.23 port1 extendable
ip nat inside source static tcp 200.20.22.50 port2 X.X.X.23 port2 extendable
ip nat inside source static udp 200.20.22.50 port2 X.X.X.23 port2 extendable
ip nat inside source static tcp 200.20.20.42 port1 X.X.X.24 port1 extendable
ip nat inside source static tcp 200.20.20.42 port2 X.X.X.24 port2 extendable
ip nat inside source static udp 200.20.20.42 port2 X.X.X.24 port2 extendable
ip nat inside source static tcp 200.20.20.62 port1 X.X.X.25 port1 extendable
ip nat inside source static tcp 200.20.20.62 port2 X.X.X.25 port2 extendable
ip nat inside source static udp 200.20.20.62 port2 X.X.X.25 port2 extendable
ip nat inside source static tcp 200.20.20.98 port3 X.X.X.26 port3 extendable
ip nat inside source static tcp 200.20.20.98 port4 X.X.X.26 port4 extendable
ip nat inside source static tcp 200.20.20.98 port5 X.X.X.26 port5 extendable
ip nat inside source static udp 200.20.20.98 port5 X.X.X.26 port5 extendable
ip nat inside source static tcp 200.20.20.74 port3 X.X.X.27 port3 extendable
ip nat inside source static tcp 200.20.20.74 port4 X.X.X.27 port4 extendable
ip nat inside source static tcp 200.20.20.74 port5 X.X.X.27 port5 extendable
ip nat inside source static udp 200.20.20.74 port5 X.X.X.27 port5 extendable
ip nat inside source static tcp 200.20.20.82 port3 X.X.X.28 port3 extendable
ip nat inside source static tcp 200.20.20.82 port4 X.X.X.28 port4 extendable
ip nat inside source static tcp 200.20.20.82 port5 X.X.X.28 port5 extendable
ip nat inside source static udp 200.20.20.82 port5 X.X.X.28 port5 extendable
ip nat inside source static tcp 200.20.22.78 port5 X.X.X.29 port1 extendable
ip nat inside source static tcp 200.20.22.78 port3 X.X.X.29 port3 extendable
ip nat inside source static tcp 200.20.22.78 port4 X.X.X.29 port4 extendable
ip nat inside source static tcp 200.20.22.78 port5 X.X.X.29 port5 extendable
ip nat inside source static udp 200.20.22.78 port5 X.X.X.29 port5 extendable
ip nat inside source static tcp 200.20.20.26 port3 X.X.X.30 port3 extendable
ip nat inside source static tcp 200.20.20.26 port4 X.X.X.30 port4 extendable
ip nat inside source static tcp 200.20.20.26 port5 X.X.X.30 port5 extendable
ip nat inside source static udp 200.20.20.26 port5 X.X.X.30 port5 extendable
ip nat inside source static tcp 200.20.21.206 port1 X.X.X.31 port1 extendable
ip nat inside source static tcp 200.20.21.206 port2 X.X.X.31 port2 extendable
ip nat inside source static udp 200.20.21.206 port2 X.X.X.31 port2 extendable
ip nat inside source static tcp 200.20.20.158 port1 X.X.X.32 port1 extendable
ip nat inside source static tcp 200.20.20.158 port2 X.X.X.32 port2 extendable
ip nat inside source static udp 200.20.20.158 port2 X.X.X.32 port2 extendable
ip nat inside source static tcp 200.20.20.58 port1 X.X.X.33 port1 extendable
ip nat inside source static tcp 200.20.20.58 port2 X.X.X.33 port2 extendable
ip nat inside source static udp 200.20.20.58 port2 X.X.X.33 port2 extendable
ip nat inside source static tcp 200.20.21.102 port3 X.X.X.34 port3 extendable
ip nat inside source static tcp 200.20.21.102 port4 X.X.X.34 port4 extendable
ip nat inside source static tcp 200.20.21.102 port5 X.X.X.34 port5 extendable
ip nat inside source static udp 200.20.21.102 port5 X.X.X.34 port5 extendable
ip nat inside source static tcp 200.20.20.70 port3 X.X.X.35 port3 extendable
ip nat inside source static tcp 200.20.20.70 port4 X.X.X.35 port4 extendable
ip nat inside source static tcp 200.20.20.70 port5 X.X.X.35 port5 extendable
ip nat inside source static udp 200.20.20.70 port5 X.X.X.35 port5 extendable
ip nat inside source static tcp 200.20.20.142 port3 X.X.X.36 port3 extendable
ip nat inside source static tcp 200.20.20.142 port4 X.X.X.36 port4 extendable
ip nat inside source static tcp 200.20.20.142 port5 X.X.X.36 port5 extendable
ip nat inside source static udp 200.20.20.142 port5 X.X.X.36 port5 extendable
ip nat inside source static tcp 200.20.20.138 port3 X.X.X.37 port3 extendable
ip nat inside source static tcp 200.20.20.138 port4 X.X.X.37 port4 extendable
ip nat inside source static tcp 200.20.20.138 port5 X.X.X.37 port5 extendable
ip nat inside source static udp 200.20.20.138 port5 X.X.X.37 port5 extendable
ip nat inside source static tcp 200.20.20.90 port3 X.X.X.38 port3 extendable
ip nat inside source static tcp 200.20.20.90 port4 X.X.X.38 port4 extendable
ip nat inside source static tcp 200.20.20.90 port5 X.X.X.38 port5 extendable
ip nat inside source static udp 200.20.20.90 port5 X.X.X.38 port5 extendable
ip nat inside source static tcp 200.20.20.106 port3 X.X.X.39 port3 extendable
ip nat inside source static tcp 200.20.20.106 port4 X.X.X.39 port4 extendable
ip nat inside source static tcp 200.20.20.106 port5 X.X.X.39 port5 extendable
ip nat inside source static udp 200.20.20.106 port5 X.X.X.39 port5 extendable
ip nat inside source static tcp 200.20.20.110 port3 X.X.X.40 port3 extendable
ip nat inside source static tcp 200.20.20.110 port4 X.X.X.40 port4 extendable
ip nat inside source static tcp 200.20.20.110 port5 X.X.X.40 port5 extendable
ip nat inside source static udp 200.20.20.110 port5 X.X.X.40 port5 extendable
ip nat inside source static tcp 200.20.21.222 port3 X.X.X.41 port3 extendable
ip nat inside source static tcp 200.20.21.222 port4 X.X.X.41 port4 extendable
ip nat inside source static tcp 200.20.21.222 port5 X.X.X.41 port5 extendable
ip nat inside source static udp 200.20.21.222 port5 X.X.X.41 port5 extendable
ip nat inside source static tcp 200.20.20.102 port3 X.X.X.42 port3 extendable
ip nat inside source static tcp 200.20.20.102 port4 X.X.X.42 port4 extendable
ip nat inside source static tcp 200.20.20.102 port5 X.X.X.42 port5 extendable
ip nat inside source static udp 200.20.20.102 port5 X.X.X.42 port5 extendable
ip nat inside source static tcp 200.20.20.94 port3 X.X.X.43 port3 extendable
ip nat inside source static tcp 200.20.20.94 port4 X.X.X.43 port4 extendable
ip nat inside source static tcp 200.20.20.94 port5 X.X.X.43 port5 extendable
ip nat inside source static udp 200.20.20.94 port5 X.X.X.43 port5 extendable
ip nat inside source static tcp 200.20.20.86 port3 X.X.X.44 port3 extendable
ip nat inside source static tcp 200.20.20.86 port4 X.X.X.44 port4 extendable
ip nat inside source static tcp 200.20.20.86 port5 X.X.X.44 port5 extendable
ip nat inside source static udp 200.20.20.86 port5 X.X.X.44 port5 extendable
ip nat inside source static tcp 200.20.21.242 port3 X.X.X.50 port3 extendable
ip nat inside source static tcp 200.20.21.242 port4 X.X.X.50 port4 extendable
ip nat inside source static tcp 200.20.21.242 port5 X.X.X.50 port5 extendable
ip nat inside source static udp 200.20.21.242 port5 X.X.X.50 port5 extendable
ip nat inside source static tcp 200.20.22.26 1610 X.X.X.51 1610 extendable
ip nat inside source static udp 200.20.22.26 1610 X.X.X.51 1610 extendable
ip nat inside source static tcp 200.20.22.26 1611 X.X.X.51 1611 extendable
ip nat inside source static udp 200.20.22.26 1611 X.X.X.51 1611 extendable
ip nat inside source static tcp 200.20.22.22 1610 X.X.X.52 1610 extendable
ip nat inside source static udp 200.20.22.22 1610 X.X.X.52 1610 extendable
ip nat inside source static tcp 200.20.22.22 1611 X.X.X.52 1611 extendable
ip nat inside source static udp 200.20.22.22 1611 X.X.X.52 1611 extendable
ip nat inside source static tcp 200.20.22.58 1610 X.X.X.53 1610 extendable
ip nat inside source static udp 200.20.22.58 1610 X.X.X.53 1610 extendable
ip nat inside source static tcp 200.20.22.58 1611 X.X.X.53 1611 extendable
ip nat inside source static udp 200.20.22.58 1611 X.X.X.53 1611 extendable
ip nat inside source static tcp 200.20.22.18 1610 X.X.X.54 1610 extendable
ip nat inside source static udp 200.20.22.18 1610 X.X.X.54 1610 extendable
ip nat inside source static tcp 200.20.22.18 1611 X.X.X.54 1611 extendable
ip nat inside source static udp 200.20.22.18 1611 X.X.X.54 1611 extendable
ip nat inside source static tcp 200.20.22.54 1610 X.X.X.55 1610 extendable
ip nat inside source static udp 200.20.22.54 1610 X.X.X.55 1610 extendable
ip nat inside source static tcp 200.20.22.54 1611 X.X.X.55 1611 extendable
ip nat inside source static udp 200.20.22.54 1611 X.X.X.55 1611 extendable
ip nat inside source static tcp 200.20.20.78 port3 X.X.X.56 port3 extendable
ip nat inside source static tcp 200.20.20.78 port4 X.X.X.56 port4 extendable
ip nat inside source static tcp 200.20.20.78 port5 X.X.X.56 port5 extendable
ip nat inside source static udp 200.20.20.78 port5 X.X.X.56 port5 extendable
ip nat inside source static tcp 200.20.22.122 port3 X.X.X.57 port3 extendable
ip nat inside source static tcp 200.20.22.122 port4 X.X.X.57 port4 extendable
ip nat inside source static tcp 200.20.22.122 port5 X.X.X.57 port5 extendable
ip nat inside source static udp 200.20.22.122 port5 X.X.X.57 port5 extendable
ip nat inside source static tcp 200.20.22.126 port3 X.X.X.58 port3 extendable
ip nat inside source static tcp 200.20.22.126 port4 X.X.X.58 port4 extendable
ip nat inside source static tcp 200.20.22.126 port5 X.X.X.58 port5 extendable
ip nat inside source static udp 200.20.22.126 port5 X.X.X.58 port5 extendable
ip nat inside source static tcp 200.20.22.134 port3 X.X.X.59 port3 extendable
ip nat inside source static tcp 200.20.22.134 port4 X.X.X.59 port4 extendable
ip nat inside source static tcp 200.20.22.134 port5 X.X.X.59 port5 extendable
ip nat inside source static udp 200.20.22.134 port5 X.X.X.59 port5 extendable
ip nat inside source static tcp 200.20.22.98 port1 X.X.X.60 port1 extendable
ip nat inside source static tcp 200.20.22.98 port2 X.X.X.60 port2 extendable
ip nat inside source static udp 200.20.22.98 port2 X.X.X.60 port2 extendable
ip nat inside source static tcp 200.20.22.130 port3 X.X.X.61 port3 extendable
ip nat inside source static tcp 200.20.22.130 port4 X.X.X.61 port4 extendable
ip nat inside source static tcp 200.20.22.130 port5 X.X.X.61 port5 extendable
ip nat inside source static udp 200.20.22.130 port5 X.X.X.61 port5 extendable
ip nat inside source static tcp 200.20.21.142 port3 X.X.X.62 port3 extendable
ip nat inside source static tcp 200.20.21.142 port4 X.X.X.62 port4 extendable
ip nat inside source static tcp 200.20.21.142 port5 X.X.X.62 port5 extendable
ip nat inside source static udp 200.20.21.142 port5 X.X.X.62 port5 extendable
ip nat inside source static tcp 200.20.21.142 37777 X.X.X.62 37777 extendable
ip nat inside source static tcp 200.20.21.142 37778 X.X.X.62 37778 extendable
ip nat inside source static udp 200.20.21.142 37778 X.X.X.62 37778 extendable
ip nat inside source list NAT_ACL interface GigabitEthernet0/0/2.700 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.X.2
ip route 10.10.2.0 255.255.255.240 10.10.2.1
ip route 10.40.1.0 255.255.255.0 10.10.2.1
ip route 10.96.1.0 255.255.255.0 10.10.2.1
ip route 200.20.20.0 255.255.255.0 10.10.2.1
ip route 200.20.21.0 255.255.255.0 10.10.2.1
ip route 200.20.22.0 255.255.255.0 10.10.2.1
ip ssh port 2222 rotary 1
ip ssh version 2
!
!
ip access-list extended E_FW_INSIDE_TO_OUTSIDE_ACL_01
 permit ip 200.20.20.0 0.0.0.255 any log
 permit ip 200.20.21.0 0.0.0.255 any
 permit ip 200.20.22.0 0.0.0.255 any
 permit ip X.X.X.16 0.0.0.15 any
 permit ip X.X.X.32 0.0.0.15 any
 permit ip X.X.X.48 0.0.0.15 any
 permit ip X.X.X.64 0.0.0.15 any
 deny   udp any any eq 10001 log
ip access-list extended E_FW_INSIDE_TO_SLF_ACL_02
 permit tcp any eq 2222 any
 permit tcp any eq port5 any
 permit udp host 10.10.2.2 any
 permit udp host 10.10.2.4 any
 permit ip host 10.40.1.250 any
 permit icmp host 57.216.254.148 any
 permit icmp host 57.216.254.145 any
 permit icmp host 57.209.227.205 any
 permit icmp host 57.209.227.206 any
 permit icmp host 10.10.2.1 any
 permit icmp 200.20.20.0 0.0.0.255 any
 permit icmp 200.20.21.0 0.0.0.255 any
 permit icmp 200.20.22.0 0.0.0.255 any
 permit udp 200.20.20.0 0.0.0.255 any
 permit udp 200.20.21.0 0.0.0.255 any
 permit udp 200.20.22.0 0.0.0.255 any
 permit udp 172.30.1.0 0.0.0.255 any
 permit tcp 172.30.1.0 0.0.0.255 any
 permit ospf host 172.16.8.2 host 172.16.8.1
 permit icmp host 172.16.8.2 host 172.16.8.1
 permit icmp host 172.16.8.2 10.10.7.0 0.0.0.255
 permit udp 172.16.8.0 0.0.0.255 any
 permit esp host 200.20.20.22 host 10.10.2.2
 permit icmp X.X.X.16 0.0.0.15 any
 permit icmp X.X.X.32 0.0.0.15 any
 permit icmp X.X.X.48 0.0.0.15 any
 permit icmp X.X.X.64 0.0.0.15 any
 permit udp X.X.X.16 0.0.0.15 any
 permit udp X.X.X.32 0.0.0.15 any
 permit udp X.X.X.48 0.0.0.15 any
 permit udp X.X.X.64 0.0.0.15 any
 permit ip host 10.10.2.1 any
 permit ospf host 172.16.7.2 host 172.16.7.1
 permit icmp host 172.16.7.2 host 172.16.7.1
 permit icmp host 172.16.7.2 10.10.7.0 0.0.0.255
 permit udp 172.16.7.0 0.0.0.255 any
 permit esp host 200.20.22.34 host 10.10.2.2
 permit icmp host 172.30.1.2 host 172.30.1.1
 permit icmp 10.10.5.0 0.0.0.255 any
ip access-list extended E_FW_OUTSIDE_TO_INSIDE_ACL_03
 permit tcp any eq 5060 any
 permit udp any eq 5060 any
 permit udp any range 1000 1100 any
 permit tcp any eq 465 any
 permit icmp host X.X.X.2 any
 permit ip host 206.16.60.70 200.20.20.0 0.0.0.255
 permit ip host 206.16.60.70 200.20.21.0 0.0.0.255
 permit ip host 206.16.60.70 200.20.22.0 0.0.0.255
 permit tcp host 54.84.182.84 200.20.20.0 0.0.0.255
 permit tcp host 54.84.182.84 200.20.21.0 0.0.0.255
 permit tcp host 54.84.182.84 200.20.22.0 0.0.0.255
 permit icmp host 72.198.133.5 any
 permit ip host 70.x.x.52 any
 permit ip host 50.58.27.183 any
 permit tcp host 72.215.150.212 200.20.22.0 0.0.0.255
 permit icmp host 72.215.150.212 any
 permit ip host 72.215.150.212 200.20.22.0 0.0.0.255
 permit udp any range 10002 20000 any
 permit ip host 12.109.9.58 200.20.21.0 0.0.0.255
 permit ip host 209.163.240.162 200.20.21.0 0.0.0.255
 permit ip host 166.166.130.13 200.20.21.0 0.0.0.255
 permit ip host 98.198.144.47 200.20.21.0 0.0.0.255
 permit ip host 12.35.94.3 200.20.21.0 0.0.0.255
 permit tcp host 12.109.9.58 200.20.21.0 0.0.0.255
 permit tcp host 209.163.240.162 200.20.21.0 0.0.0.255
 permit tcp host 166.166.130.13 200.20.21.0 0.0.0.255
 permit tcp host 98.198.144.47 200.20.21.0 0.0.0.255
 permit tcp host 12.35.94.3 200.20.21.0 0.0.0.255
 permit udp host 12.109.9.58 200.20.21.0 0.0.0.255 eq 37778
 permit udp host 209.163.240.162 200.20.21.0 0.0.0.255 eq 37778
 permit udp host 166.166.130.13 200.20.21.0 0.0.0.255 eq 37778
 permit udp host 98.198.144.47 200.20.21.0 0.0.0.255 eq 37778
 permit udp host 12.35.94.3 200.20.21.0 0.0.0.255 eq 37778
 permit tcp any range 37777 37778 any
 permit tcp host 12.109.9.58 200.20.21.0 0.0.0.255 eq www
 permit tcp host 209.163.240.162 200.20.21.0 0.0.0.255 eq www
 permit tcp host 166.166.130.13 200.20.21.0 0.0.0.255 eq www
 permit tcp host 98.198.144.47 200.20.21.0 0.0.0.255 eq www
 permit tcp host 12.35.94.3 200.20.21.0 0.0.0.255 eq www
 permit icmp host 209.163.240.162 200.20.21.0 0.0.0.255
ip access-list extended E_FW_OUTSIDE_TO_SLF_ACL_04
 permit ip host 70.x.x.52 any
 permit icmp any any
 permit udp host 98.188.216.148 any
 permit udp host 70.188.92.119 eq isakmp any
 permit udp host 50.58.27.183 eq 5060 any
 permit tcp host 98.188.216.149 eq 8880 any
 permit tcp host 72.198.133.5 eq 8880 any
 permit tcp host 206.16.60.70 any
 permit ip host 70.188.92.119 any log
 permit icmp 70.188.92.0 0.0.0.255 any
 deny   ip 200.20.20.0 0.0.0.255 any
 deny   ip 200.20.21.0 0.0.0.255 any
 deny   ip 200.20.22.0 0.0.0.255 any
 deny   ip X.X.X.16 0.0.0.15 any
 deny   ip X.X.X.32 0.0.0.15 any
 deny   ip X.X.X.48 0.0.0.15 any
 deny   ip X.X.X.64 0.0.0.15 any
 deny   ip 10.96.1.0 0.0.0.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 77.0.0.0 0.255.255.255 any
 permit ip host X.X.X.3 any
 permit ip host X.X.X.2 any
 deny   ip 172.16.0.0 0.15.255.255 any
ip access-list extended E_FW_SLF_TO_INSIDE_ACL_05
 permit tcp any eq 2222 any
 permit ip host 10.10.2.2 any
 permit ip host 10.10.2.4 any
 permit icmp host 172.16.8.1 10.10.4.0 0.0.0.255
 permit ip host 10.10.2.2 host 200.20.20.22
 permit ip host X.X.X.1 any
 permit ip host X.X.X.4 any
 permit ip host 172.30.1.1 host 172.30.1.2
 permit icmp host 172.16.7.1 10.10.5.0 0.0.0.255
 permit icmp host 10.10.2.4 host 200.20.21.142
 permit icmp host X.X.X.62 any
ip access-list extended E_FW_SLF_TO_OUTSIDE_ACL_06
 permit icmp any any
 permit tcp any eq 2222 any
 permit udp any eq snmp any
 permit ip host X.X.X.1 any
 permit ip host X.X.X.4 any
 permit icmp host 10.10.2.2 host 50.58.27.183
 permit icmp host 10.10.2.2 host 54.84.182.84
 permit icmp host 10.10.2.2 host 70.x.x.52
 permit icmp host 10.10.2.4 host 50.58.27.183
 permit icmp host 10.10.2.4 host 54.84.182.84
 permit icmp host 10.10.2.4 host 70.x.x.52
 permit icmp host 10.10.2.4 host 72.215.150.212
 deny   udp any any eq 10001
ip access-list extended NAT_ACL
 permit ip X.X.X.16 0.0.0.15 any
 permit ip X.X.X.32 0.0.0.15 any
 permit ip X.X.X.48 0.0.0.15 any
 permit ip X.X.X.64 0.0.0.15 any
 permit ip 200.20.20.0 0.0.0.255 any
 permit ip 200.20.21.0 0.0.0.255 any
 permit ip 200.20.22.0 0.0.0.255 any
!
ip sla 20
 icmp-echo 10.10.2.1
ip sla schedule 20 life forever start-time now
ip sla 25
 icmp-echo X.X.X.2
ip sla schedule 25 life forever start-time now
logging history alerts
logging source-interface GigabitEthernet0/0/2.700
access-list 199 deny   tcp any any eq telnet
access-list 199 deny   tcp any any eq www log
access-list 199 deny   tcp any any eq 22
access-list 199 permit ip any any
access-list 199 remark -- ACL restricting 22/23, redirect to ssh port 2222
!
snmp-server community !BTC RO
snmp-server community BTC117 RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps ipmulticast
snmp-server enable traps mvpn
snmp-server enable traps trustsec-sxp conn-srcaddr-err msg-parse-err conn-config-err binding-err conn-up conn-down binding-expn-fail oper-nodeid-change binding-conflict
snmp-server enable traps c3g
snmp-server enable traps bulkstat collection transfer
!

 

0 Helpful

paul driver
VIP
VIP
In response to Beast6

‎04-04-2019 08:05 AM

Hello

your term of public ip is rather confusing- basically am I correct in that what you are requiring is for that loopback6 address to be icmp reachable from outside your nat boundary?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Beast6
Level 1
Level 1
In response to paul driver

‎04-04-2019 08:19 AM

Yes, you are right. I want ICMP for that loopback from an outside public which is not in my nat boundary.

For example, I want ICMP from this IP 209.163.240.162 to my loopback6.

 

Thanks.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Beast6

‎04-04-2019 02:28 PM

Thanks for the clarification. It is difficult to know what is going on when you describe x.x.x.62. Is this a public address? Or is this some private address? This is significant in determining whether address translation is required. Since I see that your config does have address translation for the address I am assuming that nat is required.

ip nat inside source static tcp 200.20.21.142 port3 X.X.X.62 port3 extendable
ip nat inside source static tcp 200.20.21.142 port4 X.X.X.62 port4 extendable
ip nat inside source static tcp 200.20.21.142 port5 X.X.X.62 port5 extendable
ip nat inside source static udp 200.20.21.142 port5 X.X.X.62 port5 extendable
ip nat inside source static tcp 200.20.21.142 37777 X.X.X.62 37777 extendable
ip nat inside source static tcp 200.20.21.142 37778 X.X.X.62 37778 extendable
ip nat inside source static udp 200.20.21.142 37778 X.X.X.62 37778 extendable

The issue is that you are providing translation for some ports (and it is difficult to understand which ports it really is) but not providing translation of ICMP. If you want ping to work then you need to provide a translation for ICMP.

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

paul driver
VIP
VIP
In response to Richard Burts

‎04-04-2019 04:08 PM - edited ‎04-04-2019 04:48 PM

Hello

Just like to add, loopback6 would also require to be a member of a security zone and some of the acl amended.


Possible example:

interface Loopback6
zone-member security E_FW_INSIDE_ZONE

ip access-list extended E_FW_SLF_TO_INSIDE_ACL_05
permit icmp host X.X.X.62 any

ip access-list extended E_FW_OUTSIDE_TO_SLF_ACL_04
permit ip host 70.x.x.52 any
permit icmp host 70.x.x.52 any

ip access-list extended E_FW_INSIDE_TO_SLF_ACL_02
permit icmp any host X.X.X.62


access-list 100 permit icmp host X.X.X.62 host 70.x.x.52
access-list 100 permit icmp host 70.x.x.52 any

route-map ICMP
match ip address 100

ip nat inside source static X.X.X.62 X.X.X.4 route-map ICMP extendable 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Beast6
Level 1
Level 1
In response to paul driver

‎04-05-2019 08:50 AM

Hi paul,

 

I tried the example you mentioned but it didn't work.

 

Thanks.

0 Helpful

Beast6
Level 1
Level 1
In response to Richard Burts

‎04-05-2019 08:47 AM - edited ‎04-05-2019 08:49 AM

Yes- X.X.X.62 is a public IP address. 

So we nat inside our remote site IP with this assigned public IP, as you can see my remote is 200.20.21.142 and assigned public IP X.X.X.62.

 

Before I was not able to ping the public IP from remote so I created loopback6 and set rules to permit ICMP and it worked. Now I can ping public IP X.X.X.62 from the remote 200.20.21.142. 

What needs to be added if I want to ping the public IP loopback6 from any desired Outside public IP.

 

Thanks.

ip nat inside source static tcp 200.20.21.142 554 X.X.X.62 554 extendable
ip nat inside source static tcp 200.20.21.142 9200 X.X.X.62 9200 extendable
ip nat inside source static tcp 200.20.21.142 22609 X.X.X.62 22609 extendable
ip nat inside source static udp 200.20.21.142 22609 X.X.X.62 22609 extendable
ip nat inside source static tcp 200.20.21.142 37777 X.X.X.62 37777 extendable
ip nat inside source static tcp 200.20.21.142 37778 X.X.X.62 37778 extendable
ip nat inside source static udp 200.20.21.142 37778 X.X.X.62 37778 extendable

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Beast6

‎04-06-2019 02:46 AM

Hello,

 

not wanting to be redundant, I have been reading through this thread.

 

I would agree with Paul that in order to reach the Loopback6 IP address from any outside public IP address, the loopback interface needs to become part of the ZBF. I have tested below configuration in GNS3. In order not to interfere with the existing inside zones, I have added an extra security zone just for the Loopback

 

interface Loopback6
ip address X.X.X.62 255.255.255.255

zone-member security DMZ_LOOPBACK
!

class-map type inspect match-all ICMP_OUT_TO_DMZ_CLASS
match access-group name ICMP_OUT_TO_DMZ_ACL
!
policy-map type inspect ICMP_OUT_TO_DMZ_POLICY
class type inspect ICMP_OUT_TO_DMZ_CLASS
pass
class class-default
drop
!
zone security DMZ_LOOPBACK
zone security E_FW_OUTSIDE_ZONE
zone-pair security ICMP_OUT_TO_DMZ source E_FW_OUTSIDE_ZONE destination DMZ_LOOPBACK
service-policy type inspect ICMP_OUT_TO_DMZ_POLICY
!
ip access-list extended ICMP_OUT_TO_DMZ_ACL
permit icmp any host 10.10.10.62

 

Is the IP address of Loopback6 the same as the IP address used in your static NAT entries ?

 

interface Loopback6
ip address X.X.X.62 255.255.255.255

 

ip nat inside source static tcp 200.20.21.142 554 X.X.X.62 554 extendable
ip nat inside source static tcp 200.20.21.142 9200 X.X.X.62 9200 extendable
ip nat inside source static tcp 200.20.21.142 22609 X.X.X.62 22609 extendable
ip nat inside source static udp 200.20.21.142 22609 X.X.X.62 22609 extendable
ip nat inside source static tcp 200.20.21.142 37777 X.X.X.62 37777 extendable
ip nat inside source static tcp 200.20.21.142 37778 X.X.X.62 37778 extendable
ip nat inside source static udp 200.20.21.142 37778 X.X.X.62 37778 extendable

 

Your static routes point to a NAT inside interface, so I guess your customers are not connected through the outside, through the public Internet ?

 

ip route 200.20.20.0 255.255.255.0 10.10.2.1
ip route 200.20.21.0 255.255.255.0 10.10.2.1
ip route 200.20.22.0 255.255.255.0 10.10.2.1

 

In short, I think it would be helpful if you provide a detailed drawing of what your topology looks like.

Beast6
Level 1
Level 1
In response to Georg Pauwen

‎04-08-2019 12:19 PM - edited ‎04-16-2019 09:49 AM

Hi, @Georg Pauwen Diag-1.PNG

Yes, Loopback6 is the same as the IP address used in static NAT entries.

 

I am attaching 2 diagrams here I think that might make senses how it is laid out.

0 Helpful

Georg Pauwen
VIP
VIP
In response to Beast6

‎04-08-2019 02:21 PM

Hello,

 

did you apply the changes to the ZBF that I suggested, and if so, what if you remove all static NAT entries for the Loopback ?

 

--> no ip nat inside source static tcp 200.20.21.142 554 X.X.X.62 554 extendable
--> no ip nat inside source static tcp 200.20.21.142 9200 X.X.X.62 9200 extendable
--> no ip nat inside source static tcp 200.20.21.142 22609 X.X.X.62 22609 extendable
--> no ip nat inside source static udp 200.20.21.142 22609 X.X.X.62 22609 extendable
--> no ip nat inside source static tcp 200.20.21.142 37777 X.X.X.62 37777 extendable
--> no ip nat inside source static tcp 200.20.21.142 37778 X.X.X.62 37778 extendable
--> no ip nat inside source static udp 200.20.21.142 37778 X.X.X.62 37778 extendable

0 Helpful

Beast6
Level 1
Level 1
In response to Georg Pauwen

‎04-08-2019 02:51 PM

Hello, @Georg Pauwen 

 

I didn't make any changes so far, I just need confirmation from you so that is the reason I posted the topology.

I am gonna make the changes you mentioned as soon as possible.

 

each static NAT has configured in such a way that it tells the remote site IP 200.20.21.142 to nat inside with a public IP X.X.X.62 and to open the particular ports for that customer. 

 

Still, you want me to remove all static NAT entries for the loopback as mentioned?

 

Thanks. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card