06-06-2017 03:22 AM - edited 03-08-2019 10:52 AM
Hi I workk for an ISP and have just implemented NAT and ACL and when i try to ping customer router I'm not able to reach it from my edge router which is connected to customer.
Customer Configuration below:
ip nat pool ICTD 10.10.10.1 10.10.10.2 netmask 255.255.255.252
ip nat inside source list 23 pool ICTD overload
ip nat inside source static 192.168.0.5 10.10.10.1
10.10.10.1 10.10.10.2 is public-ip range 1st ip is same as in static nat public-ip
ACL configurations
access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any
06-06-2017 03:51 AM
What about if the following line is included:
access-list 110 permit icmp any any
or
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
Are you making ping to the interface directly connected from your router? is the ACL configured on your side, right?
06-06-2017 04:46 AM
Yes i'm making ping from my router directly connected to customer.ACLis configured on client my router there is no ACL.Okay let try the above configs you gave.
06-07-2017 04:43 AM
are you using VRF under the interface facing to the client?
06-07-2017 06:17 AM
No VRF on interface its just a subinterface.
06-07-2017 06:37 AM
do you see the mac address of the neighbor interface with ARP from your router? I think you already remove the ACL and the same history, right?
are you trying to ping the ip 10.10.10.1? or what is the destination? , what is the IP under the client interface?
Is possible to know the configuration of your interface and interface on the client side?
06-09-2017 07:43 AM
ip nat inside source static tcp 192.168.0.5 25 10.10.10.1 25 worked. after reloading the router.
Thanks guys
06-09-2017 07:48 AM
Thank you for the update.
06-09-2017 08:58 AM
You should not have needed a reload just a clearing of the translation but glad to hear it is working.
Jon
06-11-2017 11:59 PM
Yeah, i tried clearing translation returned an error. so ended up reloading
06-07-2017 04:55 AM
I am not sure if you have control over the remote router but they might have an access list configured on the wan interface that blocks icmp. We have the same set up and for testing we have to remove the ACL so the isp router can ping our outside address.
06-07-2017 06:16 AM
i have control on the remote router i manage it. ACL which is there is
access-list 110 permit tcp any host 10.10.10.1 eq smtp
access-list 110 permit tcp any any
access-list 110 permit ip any any
06-07-2017 06:24 AM
Thanks for your reply. Can you create an access list with NATed address as the source and remote router's wan address, and then debug the access list on remote router? you can try this on both sides to confirm if icmp packets are even reaching to the end point. You may have already tried this.
06-07-2017 06:40 AM
ok will get back let me ceate ACL as you suggests
06-07-2017 08:18 AM
ACL should be permit icmp or permit ip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide