Solved: IP Nat outside blocks SSH & ICMP from WAN to outside int?

RiverdanceMcqueen · ‎04-27-2018

I have a Cisco ISR 4400 series with a very simple set up. I have an inside LAN interface and a WAN interface. When IP NAT outside is on my WAN facing interface, my LAN can access the internet, however, I can not SSH or Ping the WAN interface from the internet. If I remove IP NAT Outside from my WAN interface, I obviously lose internet connection for my LAN but am able to ping and ssh from the internet into my router.... I am pulling my hair out over this - please help!

Building configuration...

Current configuration : 3780 bytes

!

! Last configuration change at 12:36:19 UTC Fri Apr 27 2018 by xxx

!

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname Orange

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

no aaa new-model

!

no ip domain lookup

ip domain name rtr.xx.com

ip dhcp excluded-address 10.0.25.1 10.0.25.49

!

ip dhcp pool internal-lan

import all

network 10.0.25.0 255.255.255.0

default-router 10.0.25.1

dns-server 8.8.8.8

domain-name xx-xx.com

!

!!

subscriber templating

!

multilink bundle-name authenticated

!

license udi pid ISR4451-X/K9 sn FOC211587U8

license boot level securityk9

!

spanning-tree extend system-id

!

username xx privilege 15 password 0 xx

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

class-map type inspect match-any inside-outside-class

match protocol tcp

match protocol udp

match protocol icmp

match protocol dns

match protocol http

match protocol https

class-map type inspect match-any outside-inside-class

match protocol tcp

match protocol udp

match protocol icmp

match protocol http

match protocol https

match protocol dns

class-map type inspect match-any out-self-class

match protocol icmp

match protocol tcp

match protocol udp

match protocol http

match protocol https

class-map type inspect match-any self-out-class

match protocol icmp

match protocol tcp

match protocol udp

match protocol http

match protocol https

!

policy-map type inspect self-out-policy

class type inspect self-out-class

inspect

class class-default

drop log

policy-map type inspect outside-inside-policy

class type inspect outside-inside-class

inspect

class class-default

drop log

policy-map type inspect inside-outside-policy

class type inspect inside-outside-class

inspect

class class-default

drop log

policy-map type inspect out-self-policy

class type inspect out-self-class

inspect

class class-default

drop log

!

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-policy

zone-pair security out-self source outside destination self

service-policy type inspect out-self-policy

zone-pair security outside-inside source outside destination inside

service-policy type inspect outside-inside-policy

zone-pair security self-out source self destination outside

service-policy type inspect self-out-policy

!

interface Loopback1

ip address 11.0.1.1 255.255.255.0

!

interface GigabitEthernet0/0/0

ip address 10.0.25.1 255.255.255.0

ip nat inside

zone-member security inside

negotiation auto

!

interface GigabitEthernet0/1/0

ip address 84.x.x.x 255.255.255.252

ip nat outside

zone-member security outside

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 100 interface GigabitEthernet0/1/0 overload

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 84..x.x.x

!

access-list 100 permit ip any any

!

control-plane

!

line con 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login local

transport input ssh

!

end

Richard Burts · ‎04-27-2018

I believe that your issue is related to using permit any any in the ACL that controls nat

access-list 100 permit ip any any

at a minimum I would change this and specify 10.0.25.0 as the source subnet. Even better would be to change the ACL from an extended access list to a standard access list which would specify 10.0.25.0 as the source subnet.

HTH

Rick

HTH

Rick

View solution in original post

RiverdanceMcqueen · ‎04-27-2018

I did try this but to no avail.

You'll have to forgive me as I am new to this but, how would changing what gets natted from inside to out affect my ability to ping my outside interface from outside? As I am not trying to ping any of the interior parts of the network, just the outside interface?

Cheers

View solution in original post

Richard Burts · ‎04-27-2018

I believe that your issue is related to using permit any any in the ACL that controls nat

access-list 100 permit ip any any

at a minimum I would change this and specify 10.0.25.0 as the source subnet. Even better would be to change the ACL from an extended access list to a standard access list which would specify 10.0.25.0 as the source subnet.

HTH

Rick

HTH

Rick

RiverdanceMcqueen · ‎04-27-2018

I did try this but to no avail.

You'll have to forgive me as I am new to this but, how would changing what gets natted from inside to out affect my ability to ping my outside interface from outside? As I am not trying to ping any of the interior parts of the network, just the outside interface?

Cheers

Richard Burts · ‎04-27-2018

I have seen situations where using permit any any in ACL to control nat did create problems with access on outside interface. I am not sure what caused it but assume that if the router is configured to translate everything that it impacts its ability to process and respond to ping and SSH. If changing the ACL did not solve the problem I would suggest removing the nat statement on the outside interface and see if the behavior changes. (see if this is some kind of nat issue or is some other type of issue)

HTH

Rick

HTH

Rick

RiverdanceMcqueen · ‎04-27-2018

Made a typo, this worked but would still love a brief explanation if you have time :)

thanks a million

Richard Burts · ‎04-27-2018

Glad to know that there was a typo and that changing the ACL did fix the problem. As I said I am not sure of the explanation but believe that configuring the router to translate "everything" going out the outside interface does impact the ability to process and respond to packets received on the outside interface. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the forums.

HTH

Rick

HTH

Rick