FAQ-Precautions for Configuring NAT Server on Differnt Hot Standby Firewalls

Publication Date:  2015-10-31 Views:  475 Downloads:  0
Issue Description
NAT Server configurations on the USG2000/5000, USG6000, and USG9000 are different. If you configure them incorrectly, services will be affected.
Solution
USG2000/5000 V300R001

You need to bind NAT Server to VRRP if the public IP address of the NAT server and the virtual IP address of the VRRP group reside on the same subnet.

Do not configure this binding if the public IP address of the NAT server and the virtual IP address of the VRRP group reside on different subnets.

Run the nat serevr [ vpn-instance vpn-instance-name ] zone zone-name protocol { protocol-type | protocol-number } global global-address [ global-port ] inside host-address [ host-port ] [ vrrp virtual-router-id ] [ vpn-instance vpn-instance-name ] command to configure the NAT server.

USG9000 V300R001

Keyword vrrp is used to direct traffic for load balancing in hot standby networking. Recommended configurations are as follows:

a. Active/Standby mode: Do not configure keyword vrrp because only one device forwards traffic at a time.
b. Load balaning mode: Keyword vrrp is not required for most scenarios. The system automatically binds the virtual IP address to the VRRP group with the smallest VRID (the VRRP group must reside on the same subnet as the public IP address of the NAT server) so that the traffic is forwarded by the active device in the VRRP group.

If multiple VRRP groups are available, you can configure keyword vrrp to specify the traffic direction so that the traffic is forwarded by the active device in the specified VRRP group.

USG6000 V100R001

Do not bind VRRP when configuring NAT Server.

USG 6000/9000 V500R001

You need to bind VRRP when configuring NAT Server.

END