External Host Cannot Access the HTTP NAT Server

Publication Date:  2012-07-27 Views:  152 Downloads:  0
Issue Description

As shown in Figure 11-7, the USG is configured with the NAT server. The HTTP server with internal address 10.2.1.2 is mapped to port 80 on 202.99.8.6 of the external network.

The PC at IP address 202.99.8.75 cannot access the HTTP server at IP address 202.99.8.6.

Figure 11-7  NAT server troubleshooting case

Alarm Information
None.
Handling Process
  1. Associate the route from the internal HTTP server to network segment 202.99.8.0/24 with 10.2.1.1.
  2. Run the display firewall session table command to view NAT session information.
  3. Enter the interface view of the USG and check the current configurations on the interface.
  4. Run the undo nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www command to cancel incorrect configurations.
  5. Run the nat server protocol tcp global 202.99.8.6 www inside 10.2.1.2 www command.
Root Cause

The internal server cannot ping through internal interface 10.2.1.1 of the NAT gateway but the NAT gateway can ping through the external PC 202.99.8.75. Therefore, the route on the internal server may be set incorrectly.

In this case, the NAT server may be configured incorrectly. Check the configuration of the NAT server:

nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www

The preceding display shows that the configuration is incorrect. Modify it as follows:

nat server protocol tcp global 202.99.8.6 www inside 10.2.1.2 www
Suggestions

Through this case, you can conclude the following:

  • Remember to configure the route from the Server in the internal network to the destination network segment.
  • The configuration of the NAT server is very important and errors may easily occur. By viewing session information, you can check whether the mapped address of the internal host is incorrect.
  • Session information is important. With it, you can view NAT information in the normal state and easily locate faults.

END