Solved: Re: Pinging from behind a C921-4P Router

EPearson117 · ‎12-12-2022

Hello,

I have a Cisco C921-4P router. I have setup this router to allow my private network (10.10.0.x) to pass through using a NAT to see systems on my company network (10.161.x.x).

The issue i am having is that I am unable to ping systems on my company network on the VLAN 10.161.1.x, which is the same VLAN I am using for the external side of my NAT. However, I am able to ping systems on other VLANs on my company network for example i can ping a server at 10.161.22.125. The problem with this is that i need to the systems on the private side to communicate with a server that is at 10.161.1.14.

I have attached a quick drawing of what I am trying to do, along with the Router Config, an ipconfig from one of the private systems and some pings from that system. Any help figuring this out would be great.

Thanks.

EPearson117 · ‎12-15-2022

Thank you all for taking the time to help with this.

In an attempt to simplify the issue, i factory reset the Cisco C921-4P. I then did a basic config with just the ports I was told I needed (had some help from another engineer here). And wouldn't you know it...it now works fine. So, I am not sure what i did wrong before, I must have configured something I didn't need that was causing interference. But I am now able to reboot all systems and they all connect immediately upon coming up. And I have not pinging issues.

I have attached a copy of my new config if you are interested in looking at it.

Again Thank you all for your assistance!

View solution in original post

Georg Pauwen · ‎12-12-2022

Hello,

what is the device named 'House LAN', is that another router or switch ? What is the

default gateway

of the server with IP address 10.161.22.125, and on which device is that default gateway configured ?

EPearson117 · ‎12-13-2022

Hi Georg,

The House Lan is my company's LAN network. The

default gateway

for that system is 10.161.22.1. I don't know what the devices are that they use as I am not in IT.

thanks.

MHM Cisco World · ‎12-12-2022

the packet is NAT using IP NAT source,
the return packet is also NAT using

IP NAT destination !!

why you add

ip nat destination ????

EPearson117 · ‎12-13-2022

Hello,

The IP NAT destination is a port forwarding for specific traffic that is originating from the 10.161.1.14 server. It is a call SIP call to the 10.10.0.25 system to begin streaming live video.

Thanks.

MHM Cisco World · ‎12-13-2022

I will run lab try to match your condition and see where is the problem here.
I will update you tonight After football match LoL..

amikat · ‎12-13-2022

Hi,

Will you please post the

sh ip rou

router command output.

Thanks & Regards,

Antonin

EPearson117 · ‎12-13-2022

Hello,

Attached is the

sh ip rou

command you asked for.

Thanks.

amikat · ‎12-13-2022

Hi,

Thanks for the information supplied. Can you ping the server 10.161.1.14 from the router itself? Also please check the server FW settings.

Best regards,

Antonin

EPearson117 · ‎12-13-2022

Hello,

So this gets stranger. I have found that if I reboot the 10.161.1.14 server I am then unable to do the pings from the client system (10.10.0.25). However, after about 4 hours they seem to connect, and then I get a reply to the ping. I ran wireshark from both sides and it looks like the client is sending a SIP UA request to the server and when the server goes to reply it is showing (in wireshark) a 407 proxy authentication error. During this time is when I cannot ping the server. However, once that error goes away and they connect I then get a reply on the ping.

What is strange about this, is that I don't make any changes in that time frame. I can go right now and reboot the server and 4 hours later they will connect.

I tried to look at SIP UA settings on the Cisco, but apparently the C921-4P doesn't have any. When I looked a the

show

commands SIP is not a valid options.

Thanks.

EPearson117 · ‎12-13-2022

Also, yes I can ping 10.161.1.14 from the router. I can also ping it from other systems on the 10.161.1.x VLAN so I know the server is open to accepting ping requests.

amikat · ‎12-13-2022

Hi,

Thanks for the information supplied. Can you please try to disable SIP ALG with the beneath (global) configuration commands

no ip nat service sip udp port 5060
no ip nat service sip tcp port 5060

and check if there is any change.

Best regards,

Antonin

EPearson117 · ‎12-13-2022

Hello,

That did not fix the issue. The only change I see so far is that it seems that the client is now sending SIP requests more often. Before I made this change it would send a new request every 10-15 seconds. Now it is sending one every second.

I will have to wait to see if it ever finally connects. Like i mentioned before I made this change it would take 4 hours for it to connect.

Thanks.

amikat · ‎12-13-2022

Hi,

Thanks for the update. Can you please update your nat configuration as to explicitly exempt your static nat from dynamic pat, ie.

1) configure extended ACL as follows:

access-list 101 deny tcp host 10.10.0.25 eq 5060 host 10.161.1.24 eq 5060
access-list 101 deny udp host 10.10.0.25 eq 5060 host 10.161.1.24 eq 5060
access-list 101 permit ip any any

2) modify

dynamic nat

command with ACL 101:

ip nat inside source list 101 interface GigabitEthernet4 overload,

and after clearing

ip nat

translations check if that makes any difference.

As the issue may be SIP related can you please check your SIP peers (UA client and server) whether they can support NAT-T (nat traversal) and if yes whether it is configured.

Also as I suggest to make one change at a time only can you please return back default SIP ALG (the configuration commands with "no" omitted) before doing any other changes.

Thanks & Regards,

Antonin

EPearson117 · ‎12-14-2022

Hello,

I believe i have made the changes you suggested, but I have attached a copy of my running-config. Can you please confirm I made the correct changes?

Also can you tell me how to

clear ip nat translations?

Thanks.