Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
7
Replies

ICMP traffic doesn't flow through ISR4431

KEN COUSINO JR.
Level 1
Level 1

‎01-26-2017 09:04 AM - edited ‎03-08-2019 09:04 AM

I am unable to ping outside our network from behind the ISR but from the ISR I can.  I believe it is related to my nat overload but not sure.  Please help.

Here is the nat portion of the config.

ip nat inside source list unit-nat-outbound pool unit-nat overload

ip access-list extended unit-nat-outbound
permit tcp 10.10.0.0 0.0.255.255 any
permit udp 10.10.0.0 0.0.255.255 any
permit tcp 192.168.8.0 0.0.7.255 any
permit udp 192.168.8.0 0.0.7.255 any

I believe I need something like this....

per icmp 10.10.0.0 0.0.255.255 any 

Thanks,


Ken

Labels:
0 Helpful
7 Replies 7

Cisco Freak
Level 4
Level 4

‎01-26-2017 09:18 AM

The access-list used in the nat configuration is different.

ip nat inside source list nat-outbound pool -nat overload

ip access-list extended unite-nat-outbound

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Cisco Freak

‎01-26-2017 09:27 AM

My bad.  I had changed them to match and I forgot to correct my post.  The names match and the issue is still there.

0 Helpful

Cisco Freak
Level 4
Level 4
In response to KEN COUSINO JR.

‎01-26-2017 09:32 AM

Have you tried adding ICMP into the NAT access-list?

0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Cisco Freak

‎01-26-2017 10:02 AM

based on my acl it should be as simple as adding...

per icmp 10.10.0.0 0.0.255.255 any for the 10.10.0.0 network, or 

per icmp any any for all of our networks, right?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to KEN COUSINO JR.

‎01-26-2017 10:12 AM

Yes it would be pretty simple. If you permit icmp any any then it is any source to any destination. If you permit specific networks as source you make it more specific and a bit more secure. But either approach would solve your issue about pinging outside your network.

HTH

Rick

HTH

Rick
0 Helpful

KEN COUSINO JR.
Level 1
Level 1
In response to Richard Burts

‎01-26-2017 10:51 AM

Cisco Freak and Richard Burts, thanks for your help!!

0 Helpful

Cisco Freak
Level 4
Level 4
In response to KEN COUSINO JR.

‎01-26-2017 10:36 AM

You are right!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card