02-08-2017 03:51 PM - edited 03-05-2019 08:00 AM
Hey Guys,
I am not able to ping the LAN side of my network GigabitEthernet0/0/1 from the outside.
I can ping .225 GigabitEthernet0/0/1 from the router and my FW .226
I can't access the FW from outside of my network
This is the running config
Building configuration...
Current configuration : 1861 bytes
!
! Last configuration change at 22:42:37 UTC Wed Feb 8 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip name-server 8.8.8.8
!
!
subscriber templating
multilink bundle-name authenticated
!
!
license udi pid ISR4331/K9 sn FDO19261JAM
!
!
redundancy
mode none
!
ip tftp source-interface GigabitEthernet0
!
!
interface GigabitEthernet0/0/0
description Broadband CenturyLink Internet
ip address 208.44.15.210 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN To Firewall
ip address 216.207.122.225 255.255.255.240
ip nat inside
ip access-group 102 in
ip access-group 102 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 208.44.15.209
!
!
ip access-list standard Access
permit 216.207.122.0 0.0.0.255
!
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any eq 443
access-list 102 permit ip any any
!
!
!
control-plane
!
!
line con 0
password
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password
login
!
!
end
#
Do I have the right access list or IP route?
Thanks
Solved! Go to Solution.
02-08-2017 07:34 PM
Hello,
1- Your access-list does not have any effect on pinging 216.207.122.225
2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any
3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.
4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:
Masoud
02-08-2017 11:55 PM
Hi pcastill1976 '
As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.
Regards'
02-08-2017 07:34 PM
Hello,
1- Your access-list does not have any effect on pinging 216.207.122.225
2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any
3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.
4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:
Masoud
02-09-2017 09:14 AM
Thank you guys. It works now. I followed your recommendation
02-09-2017 09:25 AM
02-08-2017 11:55 PM
Hi pcastill1976 '
As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.
Regards'
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide