NAT issue Can't ping but Can SSH?

Routing & Switching IP Routing
1

Hello All,
I have a configuration issue with one router only. A Cisco 4331. All of the other routers that have the same NAT policies and access-lists are Cisco 2911s. I’m not sure if this is a version issue or something with the configurations. The 2911’s can be reached by my desktop IP 10.0.55.86/23 , but I cannot reach the 4331. I can ping from the 2911’s and 4331 to my desktop. I can SSH to the 4331 but cannot ping from desktop. I’ve attached both configs. Any guidance is greatly appreciated.

-Adam

                                                                 2911 Config Below

Router# show run
Building configuration...

Current configuration : 11071 bytes
!
! Last configuration change at 18:37:41 est Wed Jan 16 2019
!
version 15.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
!
aaa session-id common
clock timezone est -5 0
clock summer-time edt recurring
!
no ip domain lookup
ip cef
no ipv6 cef
!

interface Loopback0
 description Router
 ip address 10.28.0.113 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Loopback1
 ip address 10.28.76.1 255.255.255.0
!
interface Tunnel434
 no ip address
 ip nat outside
 no ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
  ip address 10.15.1.250 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed 100
!
interface GigabitEthernet0/1
  no ip address
 duplex full
 speed 10
 rj45-auto-detect-polarity disable
 no cdp enable
!
interface GigabitEthernet0/1.621
  bandwidth 5000
 encapsulation dot1Q 621
 ip address 10.28.0.117 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 no cdp enable
 
!
interface GigabitEthernet0/1.1592
  bandwidth 5000
 encapsulation dot1Q 1592
 ip address 10.28.0.125 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 no cdp enable
 
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 no ip address
 shutdown
!
interface GigabitEthernet1/1
 description Internal switch interface connected to Service Module
 no ip address
!

interface Vlan1
 no ip address
 shutdown
!
interface Async0/0/0
 no ip address
 encapsulation slip
 shutdown
!
!
!
router eigrp 10
 network 10.28.0.0 0.0.255.255
 passive-interface GigabitEthernet0/0
 eigrp stub connected
!
ip nat pool AOC-WAN 10.28.76.5 10.28.76.5 prefix-length 24
ip nat inside source list 101 pool AOC-WAN overload
ip nat inside source static 10.15.1.30 10.28.76.41
ip nat inside source static 10.15.1.32 10.28.76.42
ip nat inside source static 10.15.1.33 10.28.76.43
ip nat inside source static 10.15.1.34 10.28.76.44
ip nat inside source static 10.15.1.35 10.28.76.45
ip nat inside source static 10.15.1.36 10.28.76.46
ip nat inside source static 10.15.1.37 10.28.76.47
ip nat inside source static 10.15.1.38 10.28.76.48
ip nat inside source static 10.15.1.31 10.28.76.49

 
 
access-list 101 permit tcp 10.15.1.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 102 permit tcp 10.15.1.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 102 permit tcp 10.15.1.0 0.0.0.255 host 172.16.1.25 range 2000 3000



Gateway of last resort is 10.28.0.126 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.28.0.126
      10.0.0.0/8 is variably subnetted, 2612 subnets, 10 masks
D        10.0.0.0/13 

                                                               4331 Config below

Router#show run
Building configuration...


Current configuration : 11940 bytes
!
version 15.5
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model!
!
!
aaa session-id common
clock timezone est -5 0
clock summer-time EST recurring
!

no ip domain lookup
ip domain name abc.com
no ip dhcp use vrf connected
ip dhcp excluded-address 10.14.33.1 10.14.33.248
!
ip dhcp pool for-video-only
 import all
 network 10.14.33.0 255.255.255.0
 domain-name abc.com
 dns-server 10.0.16.34 10.0.16.35 10.0.2.36
 netbios-name-server 10.0.3.92 10.0.3.93
 default-router 10.14.33.1
 lease 7!
!
interface Loopback0 
 ip address 10.14.0.57 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Loopback1
 ip address 10.14.32.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1390
 ip policy route-map clear-df
!
interface GigabitEthernet0/0/0 
 ip address 172.20.18.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip access-group 103 in
 negotiation auto
!
interface GigabitEthernet0/0/1 
 no ip address
 speed 10
 no negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/1.67 
 bandwidth 10000
 encapsulation dot1Q 67
 ip address 10.14.0.69 255.255.255.252
 ip nat outside
 no cdp enable s
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.115 
 bandwidth 5000
 encapsulation dot1Q 115
 ip address 10.14.0.73 255.255.255.252
 ip nat outside
  ip virtual-reassembly
!
interface GigabitEthernet0/0/2
 description Fiber to Sw1-ten1/0/2
 ip address 10.14.33.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1390
 ip policy route-map clear-df
 shutdown
!
!
router eigrp 10
 network 10.14.0.0 0.0.255.255
 passive-interface GigabitEthernet0/0/0
 eigrp stub connected
!
ip nat pool AOC-WAN 10.14.32.5 10.14.32.5 prefix-length 24
ip nat inside source static 172.20.18.33 10.14.32.41
ip nat inside source static 172.20.18.34 10.14.32.42
ip nat inside source static 192.168.163.43 10.14.32.43
ip nat inside source static 172.20.18.36 10.14.32.44
ip nat inside source static 172.20.18.37 10.14.32.45
ip nat inside source static 172.20.18.38 10.14.32.60
ip nat inside source static 172.20.18.39 10.14.32.61
ip nat inside source static 172.20.16.40 10.14.32.62
ip nat inside source list 101 pool AOC-WAN overload



ip route 172.20.16.0 255.255.255.0 172.20.18.1
ip route 192.168.163.0 255.255.255.0 172.20.18.1

!
!

!
l
access-list 101 permit ip 192.168.163.0 0.0.0.255 host 172.16.1.27
access-list 101 permit ip 172.20.16.0 0.0.0.255 host 172.16.1.27
access-list 101 permit ip 172.20.18.0 0.0.0.255 host 172.16.1.27
access-list 101 permit icmp any any

access-list 101 permit ip 192.168.163.0 0.0.0.255 host 172.16.1.25
access-list 101 permit ip 172.20.16.0 0.0.0.255 host 172.16.1.25
access-list 101 permit ip 172.20.18.0 0.0.0.255 host 172.16.1.25
access-list 103 permit tcp 192.168.163.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 103 permit tcp 192.168.163.0 0.0.0.255 host 172.16.1.25 range 2000 3000
access-list 103 permit tcp 172.20.16.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 103 permit tcp 172.20.16.0 0.0.0.255 host 172.16.1.25 range 2000 3000
access-list 103 permit tcp 192.168.5.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 103 permit tcp 192.168.5.0 0.0.0.255 host 172.16.1.25 range 2000 3000
access-list 103 permit tcp 192.168.6.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 103 permit tcp 192.168.6.0 0.0.0.255 host 172.16.1.25 range 2000 3000
access-list 103 permit tcp 172.20.18.0 0.0.0.255 host 172.16.1.27 eq 992
access-list 103 permit tcp 172.20.18.0 0.0.0.255 host 172.16.1.25 range 2000 3000
access-list 103 permit icmp any any
!

!
!Gateway of last resort is 10.14.0.70 to network 0.0.0.0

D*EX  0.0.0.0/0 [170/307481] via 10.14.0.70, 2d15h, GigabitEthernet0/0/1.67
      10.0.0.0/8 is variably subnetted, 2608 subnets, 10 masks

ping 10.0.55.86
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.55.86, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/12 ms
2

Hello Adam

It’s not readily apparent from the configurations why you are able to SSH but unable to ping to the 4331. What we can conclude is that since you are able to SSH to the 4331 device, routing between your desktop and the device is correct.

Steps you can take to investigate why this is taking place include:

  1. Are you able to ping the 4331 device from any other location? From the 2911s?
  2. Which IP address are you pinging on the 4331 ? The ping from the 4331 router to your desktop may be using another interface to perform the echo request. Are you able to ping any IP addresses of the 4331 from your desktop?
  3. Can you perform a traceroute to see if the pings are being blocked somewhere before they reach the 4331?

One more question: is everything else working correctly?

Let us know about your results so we can further aid you in your troubleshooting.

I hope this has been helpful!

Laz