Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
25
Helpful
8
Replies

Unable to hit outside interface from outside - Cisco ISR4400

RiverdanceMcqueen
Level 1
Level 1

‎04-23-2018 03:45 AM - edited ‎03-05-2019 10:19 AM

In my current setup I have an ISR4400 directly connected to the ISP. I am able to connect to the internet from the inside and ping any public IP as well as the outside interface IP.. However, I can not ping the outside interface from an outside IP. I am able to ping the next hop router from outside as well.

 

I have created inside / outside zones and applied the relevant policy and class maps. I also created policies and maps and pairs for the self zone as a test in case for some reason the router was not doing the default behaviour.

 

For now my class-map refers to an ACL that only allows ICMP from outside to inside.

 

I saw on another thread about adding a route to the outside interface....is this the issue? If so where is it added as I was unable to add a route outside.

 

Thanks in advance

 

orange#show running-config 
Building configuration...


Current configuration : 4014 bytes
!
! Last configuration change at 12:11:21 UTC Mon Apr 16 2018 by xxx
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname orange
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
! 
enable secret 5 $1$DRvZ$GDXrCeYcWavEfyoHWYH6j.
enable password xxxxxx
! 
aaa new-model
! 
! 
aaa authentication login userauthen local
aaa authorization exec default local 
aaa authorization network groupauthor local 
! 

! 
aaa session-id common
! 
! 
ip domain name rtr.xxxxxx.com
ip dhcp excluded-address 10.0.25.1 10.0.25.49
! 
ip dhcp pool internal-lan
import all
network 10.0.25.0 255.255.255.0
default-router 10.0.25.1 
dns-server 8.8.8.8 
domain-name xxxx-xxxx.com
! 
! 
subscriber templating
! 
multilink bundle-name authenticated
! 
! 
license udi pid ISR4451-X/K9 sn FOC211587U8
license boot level securityk9
! 
spanning-tree extend system-id
! 
username xxxxx privilege 15 password 0 xxxxxx
username xxxxx privilege 15 password 0 xxxxxx
! 
redundancy
mode none
! 
! 
vlan internal allocation policy ascending
! 
! 
class-map type inspect match-any outside-inside-class
match access-group name outside-inside-acl
class-map type inspect match-any outside-self-class
match protocol icmp
match protocol https
match protocol http
match protocol dns
match protocol tcp
class-map type inspect match-any self-outside-class
match protocol icmp
match protocol http
match protocol https
match protocol dns
match protocol tcp
class-map type inspect match-any myinspectclass
match protocol http
match protocol https
match protocol tcp
match protocol dns
match protocol icmp
! 
policy-map type inspect self-outside-policy
class type inspect self-outside-class
inspect 
class class-default
policy-map type inspect outside-inside-policy
class type inspect outside-inside-class
inspect 
class class-default
policy-map type inspect outside-self-policy
class type inspect outside-self-class
inspect 
class class-default
policy-map type inspect myinspectpolicy
class type inspect myinspectclass
inspect 
class class-default
! 
zone security inside
description LAN
zone security outside
description Internet
zone-pair security in-out source inside destination outside
service-policy type inspect myinspectpolicy
zone-pair security out-self source outside destination self
service-policy type inspect outside-self-policy
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-inside-policy
zone-pair security self-outside source self destination outside
service-policy type inspect self-outside-policy
! 
! 
! 
interface GigabitEthernet0/0/0
ip address 10.0.25.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
! 
interface GigabitEthernet0/0/1
no ip address
shutdown 
negotiation auto
! 
interface GigabitEthernet0/0/2
no ip address
shutdown 
negotiation auto
! 
interface GigabitEthernet0/0/3
no ip address
shutdown 
negotiation auto
! 
interface GigabitEthernet0/1/0
description Internet
ip address 84.207.207.94 255.255.255.252
ip nat outside
zone-member security outside
negotiation auto
! 
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown 
negotiation auto
! 
interface Vlan1
no ip address
shutdown 
! 
ip nat inside source list 100 interface GigabitEthernet0/1/0 overload
ip forward-protocol nd
ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 84.207.207.93
ip scp server enable
! 
! 
ip access-list extended outside-inside-acl
permit icmp any any
! 
access-list 100 permit ip any any
! 
! 
control-plane
! 
! 
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4

Labels:
0 Helpful
8 Replies 8

rasmus.elmholt
Level 7
Level 7

‎04-23-2018 06:37 AM

Are you sure you ISP isn't blocking it for security reasons?
0 Helpful

RiverdanceMcqueen
Level 1
Level 1
In response to rasmus.elmholt

‎04-23-2018 07:02 AM

I've been able to hit it before so unless they've changed that policy I would guess not. I've tried other types of traffic besides ICMP such as SSH and that is also not working

0 Helpful

rasmus.elmholt
Level 7
Level 7
In response to RiverdanceMcqueen

‎04-23-2018 07:25 AM - edited ‎04-23-2018 07:31 AM

Found this in another post "We cannot Inspect a class-map that we matched via a layer 7 protocol/application (We can only inspect layer 4 class-map matches)"
https://supportforums.cisco.com/t5/security-documents/zbfw-self-zone-integration/ta-p/3154572

 

But they use it in this example along with an ACL:

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#accesscontrol

 

Let me know if it helps.

Dennis Mink
VIP Alumni
VIP Alumni

‎04-23-2018 07:10 AM

your inspect lists are not the same as access-list you need an access list on your outside interface to allow icmp as well.

Please remember to rate useful posts, by clicking on the stars below.

rasmus.elmholt
Level 7
Level 7
In response to Dennis Mink

‎04-23-2018 07:17 AM

There are no ACL on the outside interface so everything should be allowed.

Dennis Mink
VIP Alumni
VIP Alumni
In response to rasmus.elmholt

‎04-23-2018 03:52 PM

I would put one in and maybe do a permit any any or a specific permit icmp from your IP address, you are pinging from so you can at least confirm if the pings are hitting your outside interface

Please remember to rate useful posts, by clicking on the stars below.

rasmus.elmholt
Level 7
Level 7
In response to Dennis Mink

‎04-24-2018 05:44 AM

Yes good idea.
Configure an ACL on the outside interface that allows ICMP with the log statement, and rememeber to allow "ip any" as well.
Or maybe do a debug ip packets with an ACL that only allows ICMP. Be carefull if this is a production environment.

RiverdanceMcqueen
Level 1
Level 1
In response to rasmus.elmholt

‎04-26-2018 07:48 AM

Thank you all for the replies so far.

 

I got frustrated so just wiped the config. I have left the router pinging whilst I add commands to it to see where it is going wrong. It stops replying to ping when I add "IP Nat Outside" to the external facing interface... My NAT set up is a basic:

 

ip nat inside source list 100 interface GigabitEthernet0/1/0 overload

 

access-list 100 permit ip any any

 

Do I need to add something for my outside too?

 

I apologise that I am very much a noob here and there is probably something very obvious!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card