After PBR Is Configured on an AR2240 Router's Intranet Interface, Intranet Users Cannot Access the Internal Server Using the Server's Public IP Address

Publication Date:  2015-11-19 Views:  553 Downloads:  0
Issue Description
When PBR is configured on the AR2240 router's intranet interface GE0/0/0, HostA cannot access the internal server using the server's public IP address 112.64.180.10, and can access the server using the public IP address after the PBR configuration is deleted.

Alarm Information
Ping the public IP address of the server from HostA. The ping operation fails.
Handling Process
Step 1 Run the display current-configuration command to check the configuration. The command output shows that traffic from intranet users to the public IP address 112.64.180.10 is not redirected in the PBR configuration.

#
acl number 2000 
rule 10 permit source 192.168.0.0 0.0.0.255
acl number 2999 
rule 5 permit                           
acl number 3001 
rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 112.64.180.10 0
#
traffic classifier vlan11 operator or
if-match acl 3001
traffic classifier vlan10 operator or
if-match acl 2000
#
traffic behavior vlan11
traffic behavior vlan10
redirect ip-nexthop 112.64.180.9
#
traffic policy vlan10
classifier vlan11 behavior vlan11
classifier vlan10 behavior vlan10
#
Interface GigabitEthernet0/0/0
ip address 172.16.100.1 255.255.255.0
traffic-policy vlan10 inbound
nat server protocol tcp global interface GigabitEthernet0/0/2 www inside 192.168.0.140 www
#
interface GigabitEthernet0/0/2
description LianTong
ip address 112.64.180.10 255.255.255.252
nat server protocol tcp global current-interface www inside 192.168.0.140 www
nat outbound 2999

Step 2 Analyze the ping operation from HostA to the server.

Phase 1: HostA sends data to the server.

Source                             Destination
192.168.1.100                       112.64.180.10
192.168.1.100                       192.168.0.140  //GE0/0/0 translates the public IP address 112.64.180.10 to the private IP address 192.168.0.140 based on the NAT flow table.
172.16.100.1  //GE0/0/0 translates the private IP address 192.168.1.100 to the public IP address 172.16.100.1 based on the NAT flow table.           192.168.0.140

Phase 2: The server sends data to HostA.

Source                              Destination
192.168.0.140                        172.16.100.1  //The traffic does not match ACL 3001 and is redirected.
192.168.0.140                        192.168.1.100 ///GE0/0/0 translates the public IP address 172.16.100.1 to the private IP address 192.168.1.100 based on the NAT flow table.
112.64.180.10  //GE0/0/0 translates the private IP address 192.168.0.140 to the public IP address 112.64.180.10 based on the NAT flow table.           192.168.1.100

----End
Root Cause
When the server sends data to HostA, the traffic does not match ACL 3001, but is redirected.
Solution
Configure the router not to redirect traffic from intranet users to the public IP address 172.16.100.1.

acl number 3001
rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 112.64.180.10 0
rule 12 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.100.1 0  //Add a matching rule for traffic from intranet users to the public IP address 172.16.100.1.

The fault is rectified after the matching rule is added.
Suggestions
Check the router status and information using commands to locate the fault. Use a correct troubleshooting roadmap, run correct commands, and analyze the corresponding command outputs.

END