USG5500 has multiple external network exports causes port mapping failed

Publication Date:  2012-11-24 Views:  243 Downloads:  0
Issue Description
 external network—USG5500—internal network
Customers made the following port mapping,
nat server 0 global 58.18.168.164 inside 222.31.224.197
nat server 1 protocol tcp global 58.18.168.165 www inside 222.31.224.205 www
nat server 2 zone untrust global 58.18.168.163 inside 222.31.236.62
nat server 3 zone trust global 58.18.168.163 inside 222.31.236.62

ospf 1
default-route-advertise always
area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 192.168.0.0 0.0.0.3
  network 192.168.20.0 0.0.0.3
In the internal all can access server, but in the external network all can’t access, internal running OSPF routing, but has also imported the default routing. In the firewall can ping server address, when access from outside network, firewall also has session, check two-way session, there is inbound packets, but has not outbound packet.

[USG5500-hidecmd]dis firewall session table verbose_hide both-direction source global 218.17.155.9
20:35:20  2011/09/19
Current Total Sessions : 1
  http  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/1  NextHop: 192.168.0.2  MAC: 00-e0-fc-3b-98-5b
  <--packets:0 bytes:0   -->packets:2 bytes:96
  218.17.155.9:43973-->58.18.168.164:80[222.31.224.197:80]

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/0  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  222.31.224.197:80[58.18.168.164:80]-->218.17.155.9:43973
Alarm Information
None.
Handling Process
Problem has been positioned out, it is due to visit from the firewall, but out from the education network, which led to can’t access, this time if we do not change the networking, can solve through do inbound direction NAT, because after done the inbound direction NAT, it would transform the external network address to the address pool’s address when accessing, this is equivalent in the same LAN with the, so when the server returns to the package, it won't be out from education network.
Configuration is as follows:
nat-policy interzone trust untrust inbound
policy 0
  action source-nat                      
  address-group 1
Results authentication:
[USG5500-hidecmd]dis firewall session table destination global  58.18.168.164 destination-port 80
13:08:08  2011/09/23
Current Total Sessions : 16
  59.36.129.90:53727[58.18.168.163:12357]-->58.18.168.164:80[222.31.224.197:80]
59.36.129.90:52444[58.18.168.163:12261]-->58.18.168.164:80[222.31.224.197:80]
59.36.129.90:53254[58.18.168.163:12324]-->58.18.168.164:80[222.31.224.197:80]

Then it can access normally.
Root Cause
Analysis:
1, at first think it is OSPF routing problem, but equipment also advertises the default route to the OSPF routing, default-route-advertise always
2, fire wall can ping server, and internal can also access, mapping has no problem, we found the “58.18.168.164 inside 222.31.224.197” all mapped the public network address, consult customers, the inside server is education network address, education network also exists an export.
Suggestions
When the port mapping is not successful, if the configuration has no problem, at this time you can also consult customer whether there are other external network exports. 

END