02-08-2017 03:51 PM - edited 03-05-2019 08:00 AM
Hey Guys,
I am not able to ping the LAN side of my network GigabitEthernet0/0/1 from the outside.
I can ping .225 GigabitEthernet0/0/1 from the router and my FW .226
I can't access the FW from outside of my network
This is the running config
Building configuration...
Current configuration : 1861 bytes
!
! Last configuration change at 22:42:37 UTC Wed Feb 8 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
no ip domain lookup
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip name-server 8.8.8.8
!
!
subscriber templating
multilink bundle-name authenticated
!
!
license udi pid ISR4331/K9 sn FDO19261JAM
!
!
redundancy
mode none
!
ip tftp source-interface GigabitEthernet0
!
!
interface GigabitEthernet0/0/0
description Broadband CenturyLink Internet
ip address 208.44.15.210 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN To Firewall
ip address 216.207.122.225 255.255.255.240
ip nat inside
ip access-group 102 in
ip access-group 102 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 208.44.15.209
!
!
ip access-list standard Access
permit 216.207.122.0 0.0.0.255
!
access-list 102 permit icmp any any echo-reply
access-list 102 permit tcp any any eq 443
access-list 102 permit ip any any
!
!
!
control-plane
!
!
line con 0
password
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password
login
!
!
end
#
Do I have the right access list or IP route?
Thanks
Solved! Go to Solution.
02-08-2017 07:34 PM
Hello,
1- Your access-list does not have any effect on pinging 216.207.122.225
2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any
3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.
4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:
Masoud
02-08-2017 11:55 PM
Hi pcastill1976 '
As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.
Regards'
02-08-2017 07:34 PM
Hello,
1- Your access-list does not have any effect on pinging 216.207.122.225
2- Your access-list does not have effect at all since you have allowed everything by following command access-list 102 permit ip any any
3- 216.207.122.225 is a public address. Why do you do NAT? You probably do not need NAT. If you remove the NAT statements, your problem will be solved.
4- Access-list 1 is missing: ip nat inside source list 1 interface GigabitEthernet0/0/0 overload:
Masoud
02-09-2017 09:14 AM
Thank you guys. It works now. I followed your recommendation
02-09-2017 09:25 AM
02-08-2017 11:55 PM
Hi pcastill1976 '
As mentioned by [@m.pourshabani] that a public IP has been configured on Gigabitethernet0/0/1, which is no need to be NAT Translated. Moreover you gave access-list 1 in your IP nat statement & access-list does not exist.
Regards'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: