Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2456
Views
0
Helpful
6
Replies

Unable to ping Ip Nat outside interface in core switch

khaleed00
Level 1
Level 1

‎07-04-2014 06:14 PM - edited ‎03-07-2019 07:56 PM

Hi everybody,

 

I’m having problem with Ip NAT outside in my 6509 switch that connected directly to third party network (ARIS Network) not belonging to us. Please refer to network diagram below. Previously server in DC and DR can’t ping to 57.236.202.115 (according to ARIS Network this is their firewall ip address) but they can ping to 57.236.202.123 Gi1/15 interface in my switch that connected to ARIS Network and they also can ping to 57.1.27.49 in London.

Core Switch Network Diagram

 

The configurations in core switch G08 location at building A:

interface GigabitEthernet1/15

description TO ARIS NETWORK Building A

ip address 57.236.202.123 255.255.255.240

ip nat outside

udld port aggressive

 

ip nat inside source list 103 interface GigabitEthernet1/15 overload

ip route 57.1.27.49 255.255.255.255 57.236.202.115

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

 

And in core switch G07 location at building B:

interface GigabitEthernet1/11

description TO ARIS NETWORK Building B

ip address 57.236.202.126 255.255.255.240

ip nat outside

udld port aggressive

 

ip nat inside source list 103 interface GigabitEthernet1/11 overload

ip route 57.1.27.49 255.255.255.255 57.236.202.115

access-list 103 permit ip 10.10.11.0 0.0.0.255 any

access-list 103 permit ip 10.10.10.0 0.0.0.255 any

 

 

With this ACL I can ping to 57.236.202.123(G08 Gi1/15), 57.236.202.126(G07 Gi1/11), 57.236.202.115(ARIS firewall) and also both server in DC and DR.  And ARIS Network can ping to my interface Gi1/15 – 57.236.202.123 and 57.236.202.126.

 

But neither ARIS network nor DC and DR can ping each other. They only can ping up to interface Gi1/15 57.236.202.123 at G08 and Gi1/11 57.236.202.126 at G07

 

One more thing server in DC and DR and ARIS Network can’t do a trace route to 57.236.202.115. When they do a trace route nothing appear except the asterisk symbol all the way.

 

With previous configuration:-

 

Servers DC and DR:

  • Can ping 57.236.202.123
  • Can ping 57.236.202.126
  • Can ping 57.1.27.49

 

What they can’t:-

  • Can’t do trace route from their servers
  • Can’t ping 57.236.202.115

 

To solve this issue I remove the existing ACL 103 and create new ACL 103 in Core switch G08 and Core switch G07 as follows:

 

access-list 103 permit icmp any any echo

access-list 103 permit icmp any any echo-reply

access-list 103 permit icmp any any time-exceeded

access-list 103 permit icmp any any unreachable

access-list 103 permit ip 10.10.10.0 0.0.0.255 host 57.1.27.49 log

access-list 103 permit ip 10.10.11.0 0.0.0.255 host 57.1.27.49 log

access-list 103 permit ip 10.10.10.0 0.0.0.255 57.236.202.0 0.0.0.15 log

access-list 103 permit ip 10.10.11.0 0.0.0.255 57.236.202.0 0.0.0.15 log

access-list 103 permit ip 57.236.202.112 0.0.0.15 57.236.202.112 0.0.0.15 log

 

The result is all servers in DC and DR can ping 57.236.202.123 and 57.236.202.115.

 

On the contrary I can't ping my own interface from at core switch G08.

 

 I still manage to ping:-

  • 57.236.202.126(G07)
  • 57.236.202.115
  • 10.10.10.XX
  • 10.10.11.XX

 

Can’t ping

  • 57.236.202.123

 

However from G07 core switch I still can ping to:-

  • 57.236.202.123
  • 57.236.202.126
  • 57.236.202.115
  • 10.10.10.XX
  • 10.10.11.XX

 

From ARIS Network, they also can’t ping to 57.236.202.123 and still can’t ping to all the servers 10.10.10.XX and 10.10.11.XX at both sites.

 

 

  • Can’t ping 57.236.202.123
  • Can’t ping 10.10.10.XX
  • Can’t ping 10.10.11.XX
  • Can’t do trace route to servers.

 

 

I try to remove ACL - access-list 103 permit icmp any any echo and when I did this, from G08 I can ping:-

 

  • 57.236.202.123
  • 57.236.202.126
  • 57.236.202.115
  • 10.10.10.XX and 10.10.11.XX

 

However servers in DC and DR unable to ping 57.236.202.115 but still manage to ping 57.236.202.123 and 57.1.27.49

 

Hope somebody can help me to resolve this issue. My goal is to permit:

 

ARIS Network:

  • Can ping 10.10.10.XX
  • Can ping 10.10.11.XX
  • Can ping 57.236.202.123 and 126
  • Can do a trace route to both servers in DC and DR

 

Servers DC and DR:

  • Can ping 57.236.202.123
  • Can ping 57.236.202.126
  • Can ping 57.236.202.115
  • Can do trace route to 57.236.202.115

 

G08 and G07:

  • Can ping to all ip address mention above.
Labels:
0 Helpful
6 Replies 6

Vasilii Mikhailovskii
Level 7
Level 7

‎07-05-2014 07:36 AM

Hello.

Could you please hint, why do you us NAT?

Is "ARIS Network" is an Internet, or MPLS (private cloud) service?

If you want ARIS Network to ping your 10.x subnets, then you need just a routing with the AS, not NAT.

0 Helpful

khaleed00
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎07-05-2014 04:31 PM

Hi thanks for responding,

FYI Aris Network is a third party network and is not in our control. They request us to use Ip NAT. ARIS Network is a service provider for baggage information.

Could you please explain further  what do you mean by a routing with the AS?

 

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to khaleed00

‎07-06-2014 03:46 AM

Hello.

If ARIS insists on NAT, they won't be able to reach 10.x addresses.

What I can't understand is why do you need to ping your own outside addresses (57.236.202.123 and 57.236.202.126) from inside!!?

Really it seams to me that the only thing you must be concerned of is reachability from DC/DR to ARIS NEtwork and London.

PS: if you had any office in London with similar configuration, I would configure GRE tunnels with native routing and won't worry about ARIS.

0 Helpful

khaleed00
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎07-06-2014 08:11 AM

Hi Vasilii,

So it is not possible for ARIS network to reach 10.10.10.XX and 11.XX address if using Ip NAT?

I need to ping my interface because for troubleshooting purpose. If I can  ping or ARIS can ping my interface 57.236.202.XX meaning the interface is alive and not down. So if there is a problem with network we can reduce troubleshooting time.

Please refer to my first post....Like a mention in my first post...before I change the ACL, I and ARIS can ping to interface 57.236.202.XX after I change the configuration only server can ping to the interface.

We do not have office in London, It is ARIS who have office in London.

0 Helpful

prajithtr_2
Level 1
Level 1

‎07-05-2014 09:55 AM

I think it's not possible to ping from ARIS network to the servers because of the PATconfiguration(if it was static nat we could perform it).from core switch to core switch try extended(with source address) and also check the routing(if it is L3 connectivity) between them.As you told 57.236.202.115 is firewall ip.So firewall may not be sending  icmp reply to the servers,that we need to check with ARIS.

 

Regard

Prajithtr

0 Helpful

khaleed00
Level 1
Level 1
In response to prajithtr_2

‎07-05-2014 05:17 PM

Hi Prajithir,

Thanks for responding,

I asked ARIS network but they told me they don't filter our ip address. I cannot confirm is it true or not because like I mention before ARIS Network is not in our "jurisdiction".frown

I just want make sure that everything is okay in our site so we can start to narrow down the problem.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card