1. The public IP address can be pinged through, which indicates that the router works normally. Set the DNS manually, but the external network still cannot be pinged through. Ping www.baidu.com. The domain name cannot be resolved. Therefore, the DNS address cannot be pinged through either. This indicates that the data that is sent does not reach the public network. Query sessions on the USG50. Request packets that are sent are available, but no reply packet is available. This indicates that the firewall works properly.
2. Remove the firewall, connect the PC, and set an IP address that is on the same network segment of the ingress of the AR28. It is discovered that the external network can be accessed. Connect the firewall, and perform NAT to translate the source address to the address of the egress of the firewall, it is discovered that the external network can be accessed. Check the NAT configuration of the AR28. The ACL is configured to allow the source address to be the network segment where the egress of the USG50 resides. The internal network is the address of another network segment. Therefore, the source IP address cannot be translated into an public IP address to access the external network.