External Host Cannot Access the HTTP NAT Server

Publication Date:  2012-07-27 Views:  179 Downloads:  0
Issue Description

As shown in Figure 11-7, the USG is configured with the NAT server. The HTTP server with internal address is mapped to port 80 on of the external network.

The PC at IP address cannot access the HTTP server at IP address

Figure 11-7  NAT server troubleshooting case

Alarm Information
Handling Process
  1. Associate the route from the internal HTTP server to network segment with
  2. Run the display firewall session table command to view NAT session information.
  3. Enter the interface view of the USG and check the current configurations on the interface.
  4. Run the undo nat server protocol tcp global www inside www command to cancel incorrect configurations.
  5. Run the nat server protocol tcp global www inside www command.
Root Cause

The internal server cannot ping through internal interface of the NAT gateway but the NAT gateway can ping through the external PC Therefore, the route on the internal server may be set incorrectly.

In this case, the NAT server may be configured incorrectly. Check the configuration of the NAT server:

nat server protocol tcp global www inside www

The preceding display shows that the configuration is incorrect. Modify it as follows:

nat server protocol tcp global www inside www

Through this case, you can conclude the following:

  • Remember to configure the route from the Server in the internal network to the destination network segment.
  • The configuration of the NAT server is very important and errors may easily occur. By viewing session information, you can check whether the mapped address of the internal host is incorrect.
  • Session information is important. With it, you can view NAT information in the normal state and easily locate faults.