No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NAT in the Same Network Segment Between NAT Address Pool and the Sub Address of the Outgoing Interface Fails (NE20E)

Publication Date:  2012-07-27 Views:  78 Downloads:  0
Issue Description
Configurations and faults are described as follows:
#
acl number 2000
rule 2 permit source 172.16.0.0 0.0.63.255
rule 4 deny
#
acl number 2002
rule 0 permit source 10.0.0.0 0.0.63.255
rule 10 deny
#
acl number 2003
rule 0 permit source 10.1.0.0 0.0.63.255
rule 10 deny
#
nat address-group 0 10.10.233.133 10.10.233.190 mask 255.255.255.192
nat address-group 2 10.10.22.8 10.10.22.254 mask 255.255.255.0
nat address-group 3 10.10.23.8 10.10.23.254 mask 255.255.255.0
#
interface GigabitEthernet2/0/1
description "link_to_SZZF_FireWall"
ip address 10.10.233.131 255.255.255.192
ip address 10.10.22.2 255.255.255.0 sub
ip address 10.10.23.2 255.255.255.0 sub
vrrp vrid 1 virtual-ip 10.10.233.130
.....
nat outbound 2000 address-group 0
//NAT in the same network segment between the IP address pool and the main address succeeded.
nat outbound 2002 address-group 2
//NAT in the same network segment between the IP address pool and the sub address of the interface failed.
nat outbound 2003 address-group 3
//NAT in the same network segment between the IP address pool and the sub address of the interface failed.
#
For unsuccessful NAT services, tests on black hole routes of corresponding address pool network segment were performed and NAT services still failed and there was no session. 
Alarm Information
Null
Handling Process
1. Tests showed that the packets of private network users reached the NE20E and the backhaul route of the upstream device was configured.
2. Checking configurations found that each ACL was configured with one deny action. After this configuration was removed, the problem was solved. Each NAT outbound corresponded to a session entry. For specific reasons, see Suggestion and Summary.
3. The NE20E supports NAT networking that the NAT public network address pool and the sub address of the outbound interface are in the same network segment. 
Root Cause
The reasons for the absence of a session on the NE20E may be as follows:
1. The packets of private network users do not reach the NE20E.
2. The NE20E does not support the IP address pool of the public network and the sub address of the outbound interface that are in the same network segment or configurations on the NE20E are incorrect.  
Suggestions
The NAT process for NE20E VRP5.3 is summarized as follows:
After private network packets reach:
1. First match the ACL, with matching sequence of large ACL numbers to small ones. After the private network packet matches an ACL, the other ACL matching is omitted (that is, skip the ACL matching process). If the packet matches a deny action in the ACL, the packet is not discarded but regular route forwarding is performed without NAT processing.
2. According to the ACL number matched, the NE20E finds nat outbound of the outbound interface and then configure nat session to forward the packet after NAT is performed to the packet.
3. The guiding principle for the black hole route of the corresponding public network address pool of the NE20E/NE20 is as follows: The mask length of the NAT public network address pool must be less than or equal to that of the black hole route, otherwise, NAT translation may fail. 

END