Solved: Unable to ping the LAN side from the outside

pcastill1976 · ‎02-08-2017

Hey Guys,

I am not able to ping the LAN side of my network GigabitEthernet0/0/1 from the outside.

I can ping .225 GigabitEthernet0/0/1 from the router and my FW .226

I can't access the FW from outside of my network

This is the running config

Building configuration...

Current configuration : 1861 bytes
!
! Last configuration change at 22:42:37 UTC Wed Feb 8 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

!
no aaa new-model
no ip icmp rate-limit unreachable
!

no ip domain lookup
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip name-server 8.8.8.8

!
!

subscriber templating
multilink bundle-name authenticated
!
!

license udi pid ISR4331/K9 sn FDO19261JAM
!
!
redundancy
mode none
!

ip tftp source-interface GigabitEthernet0
!
!

interface GigabitEthernet0/0/0
description Broadband CenturyLink Internet
ip address 208.44.15.210 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN To Firewall
ip address 216.207.122.225 255.255.255.240
ip nat inside
ip access-group 102 in
ip access-group 102 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 208.44.15.209
!
!
ip access-list standard Access
permit 216.207.122.0 0.0.0.255
!
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any eq 443
access-list 102 permit ip any any
!
!
!
control-plane
!
!
line con 0
password
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password
login
!
!
end

#

Do I have the right access list or IP route?

Thanks

Masoud Pourshabanian · ‎02-08-2017

Hello,

1- Your access-list does not have any effect on pinging 216.207.122.225

2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any

3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.

4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:

Masoud

View solution in original post

azibnaseem · ‎02-08-2017

Hi pcastill1976 '

As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.

Regards'

View solution in original post

Masoud Pourshabanian · ‎02-08-2017

Hello,

1- Your access-list does not have any effect on pinging 216.207.122.225

2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any

3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.

4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:

Masoud

pcastill1976 · ‎02-09-2017

Thank you guys. It works now. I followed your recommendation

azibnaseem · ‎02-09-2017

Hey pcastill1976 ,

Glad to hear that your problem has been resolved.

Regards'

azibnaseem · ‎02-08-2017

Hi pcastill1976 '

As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.

Regards'