Re: PAT and icmp question

Man Ho Lun · ‎03-03-2014

Hi everyone

I got a problem while configuring a 2821 router with using PAT. I have differnet sub-interface in LAN side subnet. There is a host act as a server.

I can access to this server from public network, or inside network with using same subnet as the server and it works fine.

The problem is that I cannot access to the server with different inside subnet. Is it possible that I can ping or access to the server in other subnets?

Thanks a lot. Here is the configuration of my router.

!

interface GigabitEthernet0/0

description WAN

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map clientmap

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

description Server

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.30

description LAN Segment

encapsulation dot1Q 30

ip address 192.168.3.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

!

ip nat inside source static tcp 192.168.1.101 443 interface GigabitEthernet0/0 443

ip nat inside source static tcp 192.168.1.101 21 interface GigabitEthernet0/0 21

ip nat inside source static tcp 192.168.1.101 53 interface GigabitEthernet0/0 53

ip nat inside source static udp 192.168.1.101 53 interface GigabitEthernet0/0 53

ip nat inside source static udp 192.168.1.101 20 interface GigabitEthernet0/0 20

ip nat inside source static tcp 192.168.1.101 20 interface GigabitEthernet0/0 20

ip nat inside source list NAT interface GigabitEthernet0/0 overload

!

ip access-list extended NAT

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

!

Edison Ortiz · ‎03-03-2014

Per router configuration, it seems you have a very small subnet in the LAN segment.

What's the IP address from the device you are trying to ping the server from?

If you have other routers, they need to have IP reachability to the 192.168.1.0/24 segment

Also, this router needs to have IP reachability to theirs.

Regards,

Man Ho Lun · ‎03-03-2014

Thanks for your reply.

It is for a lab use. I set 192.168.1.101 as the server. My PC is set to 192.168.3.2 with gateway .192.168.3.1

My PC can ping 192.168.1.1 or other IP in 192.168.1.0/24, but it only cannot ping 192.168.1.101.

How can I solve this problem, so that I can reach the server either from 192.168.3.0/30 and public network?

Regards

Jan Hrnko · ‎03-03-2014

Hi,

I would suspect either PC or SERVER blocking some of the traffic (possibly because of firewall settings blocking ICMP or other traffic). But because you said the server is reachable from its own subnet and also from outside network, the problem shouldn't be on the server side.

If you want to know if the problem resides at your PC, try to do source ping from the Router from its address:

Router#ping 192.168.1.101 source 192.168.3.2

Please, let us know how did that ping go. In the case of successful ping, you have to check your host PC for misconfiguration/firewall settings.

Best regards,

Jan

Man Ho Lun · ‎03-04-2014

I think it is not misconfiguration on the host..because I have tried to ping from the gateway already and it is still not working.

Router#ping 192.168.1.101 source gigabitEthernet 0/1.30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.101, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

.....

Success rate is 0 percent (0/5)

Jan Hrnko · ‎03-04-2014

Hi,

Great! What kind of operating system do you use? Have you tried it with another PC or so? Please, try to check the firewall rules for ICMP and other protocols that are desirable.

Best regards,

Jan