cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
0
Helpful
10
Replies

single ping succeeds, all others fail ?

pfrancis3
Level 1
Level 1

Hello,  I have a 2921 router configured with NAT.

All LAN devices can ping out through the router to the internet successfully.

I added a new subnet and allowed it out via the NAT ACL i.e. exactly the same as the other subnets. A host on that subnet can ping the interface fine, but internet pings fail......apart from that I noticed did work.

Does this perhaps suggest a NAT problem ?

What does a single ping success, with dozens/hundreds of failures suggest ?

Thanks for any help.

10 Replies 10

Philip D'Ath
VIP Alumni
VIP Alumni

Could be NAT could be routing.  Could you post your config?

thank you for your assistance.The IP of the host on the new subnet that cannot connect out to the internet is 10.1.29.24.

 Here is the config:

!
! Last configuration change at 15:34:03 NZST Tue Apr 5 2016 by
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.153-3.M5.bin
boot-end-marker
!
!
logging buffered 128000 informational
logging rate-limit 50
enable secret 4
!
aaa new-model
!
!
aaa authentication login sslvpn group radius local
!
!
!
!
!
aaa session-id common
clock timezone NZST 12 0
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
!
!
!
!
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name xxxx
ip inspect udp idle-time 120
ip inspect name IN tcp
ip inspect name IN udp
ip inspect name IN icmp
ip inspect name IN ftp
ip inspect name IN dns
ip inspect name IN ntp
ip inspect name OUT ftp
ip inspect name OUT tcp
ip inspect name OUT dns
ip inspect name OUT udp
ip inspect name OUT icmp
ip inspect name OUT ntp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint my-trustpoint
 enrollment selfsigned
 serial-number
 subject-name CN=firewallcx-certificate
 revocation-check crl
 rsakeypair my-rsa-keys
!
crypto pki trustpoint xxxxx
 enrollment terminal
 fqdn none
 subject-xxxxxxx
 revocation-check crl
 rsakeypair xxxxx
!
!
crypto pki certificate chain my-trustpoint
 certificate self-signed 01
xxxxxE2CB0FEE DDA2AD46 FD25C731 0D5B7022
  DA247619 CED95E52 53A5ED49 82
        quit
crypto pki certificate chain vpn.nz.xxxx
 certificate 0CCDD5BB5D042C1A69757568ACDC9974
  xxxxx
          quit
license udi pid CISCO2921/K9 sn xxx
!
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group service EVERYONE
 tcp eq ftp
 tcp eq ftp-data
!
object-group service LYNC
 tcp range 50040 50059
 tcp eq 5223
 udp range 50000 50039
 tcp eq 5721
 icmp
 udp eq 3478
!
object-group network OFFICE365-SERVERS
 x.x.x.x
!
object-group network SERVERS
 range x.x.x.x 
 range x.x.x.x 
 host x.x.x.x
 host x.x.x.x
 10.19.10.0 255.255.255.0
 host x.x.x.x
 10.1.0.0 255.255.0.0
!
!
redundancy
!
!
!
!
!
ip ssh logging events
!
!
crypto vpn anyconnect flash0:/webvpn/anyconnect-win-4.1.02011-k9.pkg sequence 1
crypto isakmp keepalive 10
!
!
!
!
!
!
crypto ipsec client ezvpn ez
 connect auto
 group xxxxx
 local-address GigabitEthernet0/0
 mode network-extension
 peer 182.16.153.66
 username xxxxx
 xauth userid mode local
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INTERNET-UFB
 ip address x.x.x.x 255.255.255.240 secondary
 ip address x.x.x.x 255.255.255.254
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect IN in
 ip inspect OUT out
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn ez
!
interface GigabitEthernet0/1
 description LAN
 ip address x.x.x.x 255.255.255.0
 ip access-group INSIDE in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn ez inside
!
interface GigabitEthernet0/1.25
 encapsulation dot1Q 25
 ip address 172.16.25.250 255.255.255.0
 ip access-group MNZ_WLAN in
 ip helper-address x.x.x.x
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
!
interface GigabitEthernet0/2
 description ROUTED DMZ VLAN55
 ip address 172.16.29.254 255.255.255.0
 ip access-group DMZ in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect IN in
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip address 10.1.20.1 255.255.255.0
!
router bgp 65414
 bgp router-id x.x.x.x
 bgp log-neighbor-changes
 !
 scope global
  neighbor x.x.x.x remote-as 65414
  neighbor x.x.x.x timers 10 30
  !
  address-family ipv4
   network 10.1.20.0 mask 255.255.255.0
   network 10.2.2.0 mask 255.255.255.0
   network x.x.x.x mask 255.255.255.0
   network 172.16.25.0 mask 255.255.255.0
   network 172.16.29.0 mask 255.255.255.0
   neighbor x.x.x.x activate
   neighbor x.x.x.x next-hop-self
   neighbor x.x.x.x default-originate
   maximum-paths 4
   auto-summary
  !
 !
!
ip local pool webvpn-pool 10.1.20.2 10.1.20.254
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint my-trustpoint
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export version 5 origin-as
ip flow-export destination x.x.x.x 9996
ip flow-top-talkers
 top 10
 sort-by bytes
!
ip nat inside source list NAT_ALLOWED interface GigabitEthernet0/0 overload
ip nat inside source static tcp x.x.x.x 25 x.x.x.x 25 extendable
ip nat inside source static tcp 172.16.29.1 80 x.x.x.x 80 extendable
ip nat inside source static tcp 172.16.29.1 443 x.x.x.x 443 extendable
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.2.0.0 255.255.0.0 141.202.179.250
ip route 172.16.25.0 255.255.255.0 141.202.179.239
ip route 172.16.100.0 255.255.255.0 141.202.179.250
ip route x,x,x,x 255.255.255.255 x.x.x.x permanent
!
ip access-list extended DMZ
 permit icmp any any
 permit ip host 172.16.29.1 any
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any eq ftp any
 permit tcp any eq ftp-data any
 permit ip any 172.16.27.0 0.0.0.255
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 192.168.0.0 0.0.255.255
 permit ip any x.x.x.x 0.0.0.255
 permit ip any 172.16.100.0 0.0.0.255
ip access-list extended INSIDE
 permit ip object-group SERVERS any
 permit ip any object-group OFFICE365-SERVERS
 permit object-group LYNC any any
 permit tcp any any eq ftp
 permit ip host x.x.x.x any
 permit ip any host 172.16.29.1
 permit ip any host x.x.x.x
 permit ip any 172.16.27.0 0.0.0.255
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 192.168.0.0 0.0.255.255
 permit ip any x.x.x.x 0.0.0.255
 permit ip host x.x.x.x any
 permit ip any 172.16.0.0 0.0.15.255
 permit icmp any any
ip access-list extended WLAN
 permit icmp any any
 permit ip any object-group OFFICE365-SERVERS
 permit object-group LYNC any any
 permit ip any host 172.16.29.1
 permit tcp any any eq ftp
 permit ip any 172.16.0.0 0.0.15.255
 permit ip any 10.0.0.0 0.255.255.255
 permit ip any 192.168.0.0 0.0.255.255
 permit ip any 172.16.27.0 0.0.0.255
 permit ip any x.x.x.x 0.0.0.255
 permit ip any x.x.x.x 0.0.0.255
 permit udp any any eq bootpc
 permit udp any any eq bootps
 deny   ip any any log-input
ip access-list extended NAT_ALLOWED
 deny   ip x.x.x.x.0 0.0.0.255 172.16.30.0 0.0.0.255
 deny   ip x.x.x.x 0.0.0.255 172.16.30.0 0.0.0.255
 deny   ip 172.16.27.0 0.0.0.255 172.16.30.0 0.0.0.255
 deny   ip x.x.x.x 0.0.0.255 172.16.27.0 0.0.0.255
 deny   ip 172.16.29.0 0.0.0.255 172.16.27.0 0.0.0.255
 deny   ip 172.16.25.0 0.0.0.255 172.16.27.0 0.0.0.255
 deny   ip x.x.x.x 0.0.0.255 141.204.1.0 0.0.0.255
 deny   ip 172.16.29.0 0.0.0.255 141.204.1.0 0.0.0.255
 deny   ip 172.16.25.0 0.0.0.255 141.204.1.0 0.0.0.255
 deny   ip x.x.x.x 0.0.0.255 172.16.100.0 0.0.0.255
 deny   ip 172.16.29.0 0.0.0.255 172.16.100.0 0.0.0.255
 deny   ip 172.16.25.0 0.0.0.255 172.16.100.0 0.0.0.255
 deny   ip x.x.x.x 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.29.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip x.x.x.x 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.29.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.25.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip x,x,x,x 0.0.0.255 any
 permit ip 172.16.25.0 0.0.0.255 any
 permit ip 172.16.29.0 0.0.0.255 any
 permit ip 10.2.2.0 0.0.0.255 any
 permit ip 10.19.10.0 0.0.0.255 any
 permit ip 10.0.0.0 0.255.255.255 any
 permit ip 172.16.27.0 0.0.0.255 any
ip access-list extended OUTSIDE
 permit tcp any host x.x.x.x eq smtp
 permit icmp any any
 permit ip host x.x.x.x any
 permit ip host x.x.x.x any
 permit tcp any host 172.16.29.1 eq www
 permit tcp any host 172.16.29.1 eq 443
 permit tcp any host x.x.x.x eq smtp
 permit tcp any host x.x.x.x eq www
 permit tcp any host x.x.x.x eq 443
!
ip sla auto discovery
ip sla 1
 icmp-echo 8.8.8.8
 request-data-size 60
 tag PING-GOOGLE-DNS
 frequency 300
ip sla schedule 1 life forever start-time now
ip sla 3
 icmp-echo x.x.x.x
 tag PING-VODAFONE-ROUTER-x.x.x.x
 frequency 30
ip sla schedule 3 life forever start-time now
ip sla 4
 icmp-echo x.x.x.x
  frequency 30
ip sla schedule 4 life forever start-time now
ip sla 5
 icmp-echo 10.19.10.13
 tag PING-VODAFONE-VRF-10.19.10.13
 frequency 30
ip sla schedule 5 life forever start-time now
logging history size 250
logging history errors
logging trap notifications
logging origin-id hostname
logging facility local6
logging host x.x.x.xx
!
!
snmp-server community ssdc-customer RO 11
snmp-server ifindex persist
access-list 9 permit x.x.x.x
access-list 9 permit x.x.x.x
access-list 9 permit x.x.x.x
access-list 9 remark SSH access
access-list 9 permit 172.16.100.0 0.0.0.255
access-list 9 permit 172.16.101.0 0.0.0.255
access-list 9 permit x.x.x.x 0.0.0.255
access-list 9 permit 10.19.10.0 0.0.0.255
access-list 9 permit 10.1.20.0 0.0.0.255
access-list 11 remark SNMP access
access-list 11 permit x.x..xx
access-list 11 permit x.x.x.x
access-list 11 permit x.x.x.x
access-list 11 permit x.x.x.x
access-list 11 permit x.x.x.x 0.0.0.255
access-list 11 permit 172.16.100.0 0.0.0.255
access-list 11 permit 172.16.101.0 0.0.0.255
access-list 11 permit 10.19.10.0 0.0.0.255
access-list 51 remark test
access-list 51 permit any log
access-list 99 permit 172.16.100.0 0.0.0.255 log
access-list 99 permit 172.16.101.0 0.0.0.255 log
access-list 99 permit x.x.x.x 0.0.0.255 log
access-list 99 deny   any log
access-list 110 remark cVPN
access-list 110 permit ip x.x.x.x 0.0.0.255 172.16.30.0 0.0.0.255
access-list 110 permit ip x.x.x.x 0.0.0.255 172.16.30.0 0.0.0.255
access-list 110 permit ip 172.16.27.0 0.0.0.255 172.16.30.0 0.0.0.255
access-list 111 remark NO_NAT
access-list 111 permit ip x.x.x.x 0.0.0.255 172.16.30.0 0.0.0.255
access-list 111 permit ip x.x.x.x 0.0.0.255 172.16.30.0 0.0.0.255
access-list 121 permit ip x.x.x.x 0.0.0.255 any
access-list 121 permit ip 172.16.25.0 0.0.0.255 any
access-list 121 permit ip 172.16.29.0 0.0.0.255 any
access-list 123 permit tcp any any eq smtp log
access-list 123 permit ip any any
radius-server host 172.16.27.10 key 7 110411041B1E5A5E57
radius-server host x.x.x.x0 key 7 05060E0E2D401F5B4A
radius-server host x.x.x.x key 7 12140D161E075D5679
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 password 7 082C444F0515544541
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 9 in
 exec-timeout 15 0
 privilege level 15
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp server x.x.x.x
ntp server x.x.x.x
!
!
webvpn gateway Cisco-WebVPN-Gateway
 ip address x.x.x.x port 443
 ssl trustpoint vpn.nz.xxxxx
 inservice
 !
webvpn gateway xxxx-AnyConnect-Gateway
 ssl trustpoint xxxx
 no inservice
 !
webvpn context Cisco-WebVPN
 title "AnyConnect VPN"
 !
 acl "ssl-acl"
   permit ip 10.1.20.0 255.255.255.0 x.x.x.x 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 172.16.25.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.1.76.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.1.77.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.1.78.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 172.16.27.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.180.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.20.59.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.1.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.0.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.4.48.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.1.20.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 10.19.10.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 x.x.x.x 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 172.16.100.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.10.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.11.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.20.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.21.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.22.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.23.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.24.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.25.0 255.255.255.0
   permit ip 10.1.20.0 255.255.255.0 192.168.100.0 255.255.255.0
 login-message "WebVPN login"
 virtual-template 1
 aaa authentication list sslvpn
 gateway Cisco-WebVPN-Gateway
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.255.0
   svc default-domain "nz.ltd"
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 10.1.20.0 255.255.255.0
   svc split include x.x.x.x 255.255.255.0
   svc split include 172.16.25.0 255.255.255.0
   svc split include 10.1.76.0 255.255.255.0
   svc split include 10.1.77.0 255.255.255.0
   svc split include 10.1.78.0 255.255.255.0
   svc split include 172.16.27.0 255.255.255.0
   svc split include 192.168.180.0 255.255.255.0
   svc split include 10.20.59.0 255.255.255.0
   svc split include 192.168.1.0 255.255.255.0
   svc split include 192.168.0.0 255.255.255.0
   svc split include 10.4.48.0 255.255.255.0
   svc split include 10.19.10.0 255.255.255.0
   svc split include x.x.x.x 255.255.255.0
   svc split include 192.168.10.0 255.255.255.0
   svc split include 192.168.11.0 255.255.255.0
   svc split include 192.168.20.0 255.255.255.0
   svc split include 192.168.21.0 255.255.255.0
   svc split include 192.168.22.0 255.255.255.0
   svc split include 192.168.23.0 255.255.255.0
   svc split include 192.168.24.0 255.255.255.0
   svc split include 192.168.25.0 255.255.255.0
   svc split include 192.168.100.0 255.255.255.0
   svc dns-server primary 172.16.27.10
   svc dns-server secondary x.x.x.x
 default-group-policy webvpnpolicy
!
end

Which is the existing subnet that works, and which is the new one that does not work properly?

Hello, I have confirmed that NAT is failing for my host 10.1.29.24 when it pings out to the internet i.e. it's pings are arriving at the internet destination with a source address of it's original address 10.1.29.24.

An example of a subnet that can connect out and get NATted correctly is 10.19.10.0 255.255.255.0

So,even when I explicity add the host address to the NAT_ALLOWED ACL, it still fails to NAT. Do I have to disable that access list and reapply it if I add an entry to it ?

Thank you kindly for any assistance.

The access list "NAT_ALLOWED" needs a permit to allow this netblock.

ip access-list extended NAT_ALLOWED
permit ip 10.1.29.0 0.0.0.255 any

yes, I added that line exactly to the NAT_ALLOWED ACL however still not difference. Can I make live changes to this ACL or do I have to disable it then re-apply it for the change to have any effect ?

Also, there was already a rule in the NAT_ALLOWED ACL which should have allowed my new subnet 10.1.29.0/24 without any additions. That rule was 'permit ip 10.0.0.0 0.255.255.255 any'.

Is this a directly connected subnet, or a remote network?

Are you sure none of the existing deny entries match this traffic?

Hello, it is a remote subnet.

Yes I can confirm no other ACL entries are blocking it.

I just ran a long continuous ping and 3% succeeded, 97% failed.

Thank you for your help.

Which interface is it being routed via?

Can you ping the nearest interface in this router without issue?

If you do a "show ip route 10.1.29.0" does it show just a single path?

Does the remote subnet have only a single path to this router?

thanks for helping Philip.

LAN traffic is coming in via Ge0/1. Yes I can ping the nearest interface without issue. Yes, there is a single route path only. Yes the remote subnet does only have a single path to the router.

The problem is definitely with NAT because I have pinged out to another device on the internet and can see the pings coming in still with the LAN source address of 10.1.29.24 so NAT is just not working with this subnet. A really strange issue. To makes things ever stranger, I find that approx. 1% of pings are succeeding i.e NAT is working 1% of the time.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: