01-26-2017 09:04 AM - edited 03-08-2019 09:04 AM
I am unable to ping outside our network from behind the ISR but from the ISR I can. I believe it is related to my nat overload but not sure. Please help.
Here is the nat portion of the config.
ip nat inside source list unit-nat-outbound pool unit-nat overload
ip access-list extended unit-nat-outbound
permit tcp 10.10.0.0 0.0.255.255 any
permit udp 10.10.0.0 0.0.255.255 any
permit tcp 192.168.8.0 0.0.7.255 any
permit udp 192.168.8.0 0.0.7.255 any
I believe I need something like this....
per icmp 10.10.0.0 0.0.255.255 any
Thanks,
Ken
01-26-2017 09:18 AM
The access-list used in the nat configuration is different.
ip nat inside source list nat-outbound pool -nat overload
ip access-list extended unite-nat-outbound
01-26-2017 09:27 AM
My bad. I had changed them to match and I forgot to correct my post. The names match and the issue is still there.
01-26-2017 09:32 AM
Have you tried adding ICMP into the NAT access-list?
01-26-2017 10:02 AM
based on my acl it should be as simple as adding...
per icmp 10.10.0.0 0.0.255.255 any for the 10.10.0.0 network, or
per icmp any any for all of our networks, right?
01-26-2017 10:12 AM
Yes it would be pretty simple. If you permit icmp any any then it is any source to any destination. If you permit specific networks as source you make it more specific and a bit more secure. But either approach would solve your issue about pinging outside your network.
HTH
Rick
01-26-2017 10:51 AM
Cisco Freak and Richard Burts, thanks for your help!!
01-26-2017 10:36 AM
You are right!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide