Networking architecture: PC------Eudemon 1000E-U/X-----server
Service description: Intranet users configure NAT Server through the Eudemon 1000E-U/X and extranet users access the server through the NAT Server.
On the firewall, set port mapping. In this case, only some Web pages can be displayed if users access the server through extranet PCs. nat server protocol tcp global 10.228.187.128 18888 inside 10.172.10.99 18888 vrrp 5 nat server protocol tcp global 10.228.187.128 18443 inside 10.172.10.99 18443 vrrp 5 If global mapping is configured on the firewall, users can properly access the server. See the following: nat server protocol tcp global 10.228.187.128 any inside 10.172.10.99 any vrrp 5.
1. After port-based mapping and full-mapping are configured, check session table information. The result shows that the following bidirectional NAT session table occurs as follows when global mapping is configured. tcp VPN: public -> public Zone: trust -> trust TTL: 00:00:10 Left: timeout Interface: G0/0/0 Nexthop: 10.172.11.249 MAC: 00-00-5e-00-01-17 <-- packets:12 bytes:2297 --> packets:18 bytes:3680 10.172.10.99:46915[10.228.187.128:46915]-->10.228.187.128:18888[10.172.10.99:18888] 2. In addition to ports 18888 and 18443, the PC can access other ports. Capture packets on the PC. The result shows that the PC does not access other ports of the server. 3. If the PC does not access other ports of the server, the server automatically accesses other addresses. Capture packets. The result shows that the server accesses the global address of the server itself. In this case, configure intrazone NAT or NAT Server with full mapping.
2. In the case of full mapping, the server with the IP address of 10.172.10.99 accesses the device with the IP address of 10.228.187.128. In this case, flows in two directions hit one NAT Server to implement bidirectional NAT. Because the source port of the initiator is not numbered 18888, only the forward NAT is hit. The source address for sending packets to the server is still 10.172.10.99, the PC does not send any response packet because the IP address request carried in the packet is 10.228.187.128 instead of 10.172.10.99. This is why packets are not successfully captured.
When users access the server through PCs, the server is required to access some services on the server itself through the global address of NAT Server. However, ports of these services are not configured with NAT Server. To solve this problem, configure the intrazone NAT.
To solve this kind of issue, intrazone NAT need to be configured.