Oyurttas
asked on
cisco one way nat issue
Hello, we just purchased a company that has an internal ip address range of 38.185.126.0/24 (I know its public, but they use it inside). We have a 3 MB MPLS connection going to them from our core (192.168.1.0 inside network & serial interface using 172.32.254.174/30).
Hosts on their network (38.185.126.0) cannot ping a natted IP to our Citrix CSG inside (192.168.1.151) even though it is natted to 38.185.126.201
can someone please give a look at this config for me and see if I'm missing something?
Thanks,
controller T1 0/2/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description <<inbound T1 MPLS 1>>
!
controller T1 0/2/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description <<inbound T1 MPLS 2>>
!
!
class-map match-any voice-signaling
match access-group 102
class-map match-any voice-stream
match access-group 101
class-map match-any match-voip
match access-group 101
!
!
policy-map MPLS
class voice-stream
priority percent 50
set ip dscp af21
class voice-signaling
bandwidth percent 5
class class-default
fair-queue
policy-map mark-voip
class match-voip
set dscp ef
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Multilink1
bandwidth 3072000
ip address 172.32.254.174 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
ppp multilink
ppp multilink group 1
service-policy output MPLS
!
interface FastEthernet0/0
ip address 192.168.224.1 255.255.255.240 secondary
ip address 38.185.126.99 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0:0
description <<1st T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
interface Serial0/2/1:0
description <<2nd T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 172.32.254.173 remote-as 1
neighbor 172.32.254.173 soft-reconfiguration inbound
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Multilink1
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat source static 38.185.126.201 192.168.1.151
ip nat inside source list 105 interface Multilink1 overload
!
access-list 105 permit ip 38.185.126.0 0.0.0.255 any
Hosts on their network (38.185.126.0) cannot ping a natted IP to our Citrix CSG inside (192.168.1.151) even though it is natted to 38.185.126.201
can someone please give a look at this config for me and see if I'm missing something?
Thanks,
controller T1 0/2/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description <<inbound T1 MPLS 1>>
!
controller T1 0/2/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description <<inbound T1 MPLS 2>>
!
!
class-map match-any voice-signaling
match access-group 102
class-map match-any voice-stream
match access-group 101
class-map match-any match-voip
match access-group 101
!
!
policy-map MPLS
class voice-stream
priority percent 50
set ip dscp af21
class voice-signaling
bandwidth percent 5
class class-default
fair-queue
policy-map mark-voip
class match-voip
set dscp ef
!
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Multilink1
bandwidth 3072000
ip address 172.32.254.174 255.255.255.252
ip nat outside
ip virtual-reassembly
ip route-cache flow
ppp multilink
ppp multilink group 1
service-policy output MPLS
!
interface FastEthernet0/0
ip address 192.168.224.1 255.255.255.240 secondary
ip address 38.185.126.99 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0:0
description <<1st T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
interface Serial0/2/1:0
description <<2nd T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor 172.32.254.173 remote-as 1
neighbor 172.32.254.173 soft-reconfiguration inbound
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Multilink1
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat source static 38.185.126.201 192.168.1.151
ip nat inside source list 105 interface Multilink1 overload
!
access-list 105 permit ip 38.185.126.0 0.0.0.255 any
ASKER
Hello. I worked with Cisco to figure it out. If you would like the config, I'll post it. Thank you.
Was it a change in the above NAT config? You may as well post it for posterity.
ASKER
interface Loopback0
no ip address
!
interface Multilink1
bandwidth 3072000
ip address 172.32.254.174 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache flow
ppp multilink
ppp multilink group 1
service-policy output MPLS
!
interface FastEthernet0/0
ip address 38.185.126.99 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0:0
description <<1st T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
interface Serial0/2/1:0
description <<2nd T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute static route-map IPOOL
neighbor 172.32.254.173 remote-as 1
neighbor 172.32.254.173 soft-reconfiguration inbound
no auto-summary
!
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.7.0 255.255.255.0 FastEthernet0/0
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat pool IPOOL 192.168.7.2 192.168.7.254 netmask 255.255.255.0
ip nat outside source list 102 pool IPOOL
!
!
ip prefix-list IPOOL seq 5 permit 192.168.7.0/24
access-list 102 permit ip 38.185.126.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 38.155.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.185.126.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.155.211.0 0.0.0.255
access-list 105 permit ip 38.185.126.0 0.0.0.255 any
no ip address
!
interface Multilink1
bandwidth 3072000
ip address 172.32.254.174 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache flow
ppp multilink
ppp multilink group 1
service-policy output MPLS
!
interface FastEthernet0/0
ip address 38.185.126.99 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/2/0:0
description <<1st T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
interface Serial0/2/1:0
description <<2nd T1 MPLS in from L3>>
no ip address
encapsulation ppp
ip route-cache flow
ppp multilink
ppp multilink group 1
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
redistribute connected
redistribute static route-map IPOOL
neighbor 172.32.254.173 remote-as 1
neighbor 172.32.254.173 soft-reconfiguration inbound
no auto-summary
!
ip route 38.155.211.0 255.255.255.0 38.185.126.1
ip route 38.185.126.0 255.255.255.0 38.185.126.1
ip route 192.168.4.0 255.255.255.0 38.185.126.1
ip route 192.168.7.0 255.255.255.0 FastEthernet0/0
ip route 192.168.8.0 255.255.255.0 38.185.126.1
!
ip flow-export source Multilink1
ip flow-export version 5
!
no ip http server
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 120
ip nat pool IPOOL 192.168.7.2 192.168.7.254 netmask 255.255.255.0
ip nat outside source list 102 pool IPOOL
!
!
ip prefix-list IPOOL seq 5 permit 192.168.7.0/24
access-list 102 permit ip 38.185.126.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 38.155.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.185.126.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 38.155.211.0 0.0.0.255
access-list 105 permit ip 38.185.126.0 0.0.0.255 any
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, the ouput of
sho ip nat translations
You can also do a debug of that nat and post the output here:
conf t
access-list 1 permit 192.168.1.151
access-list 1 permit 38.185.126.201
end
debug ip nat 1 detailed