No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Policy-based Routing Affects Intrazone NAT

Publication Date:  2012-07-17 Views:  55 Downloads:  0
Issue Description
The customer uses USG5350 V100R003 and has two egresses: GigabitEthernet0/0/0 at 123.13.204.177/24 connecting to Unicom network 1 and GigabitEthernet0/0/1 at 123.7.38.82/2 connecting to Unicom network 2. The downstream core switch is a Cisco 9306 switch. Multiple network segments are configured on the access-layer switch. The IP addresses of the two servers that are directly connected to the core switch are respectively 172.10.200.7/24 and 172.10.200.11/24.
For the network diagram and the configuration, see the attachment.
The customer wants to enable access from the intranet to the internal servers through the public network by configuring intrazone NAT. Policy-based routing and static route take effect, but the intrazone NAT does not.
Alarm Information
None.
Handling Process
  1. Obtain the USG5350 version information, detailed configuration, and network diagram from the customer.
  2. Check the intrazone NAT configuration. No error is detected.
 
      nat-policy zone trust   
        policy 0
        action source-nat
        address-group 0
 
  1. Check for the default route to the USG5350 on the core switch. The route exists.
  2. View policy-based routing.
 
traffic classifier class1
 if-match acl 3001
#
traffic behavior behavior1
  remark ip-nexthop 123.13.204.1 output-interface GigabitEthernet0/0/0
#
qos policy mypolicy
 classifier class1 behavior behavior1
 
View the ACL 3001.
 
acl number 3001     
 description celueluyou
 rule 0 permit ip source 172.10.200.7 0
 rule 5 permit ip source 172.10.200.11 0
Policy-based routing specifies that all packets from 172.10.200.7 and 172.10.200.11 go to the extranet through interface G0/0/0. As a result, when an intranet host accesses the server, the firewall directs response packets from the server to interface G0/0/0. Therefore, the intranet host cannot receive the response packets.
 
  1. Change ACL 3001 that is cited by policy-based routing to:
 
acl number 3001    
 description celueluyou
 rule 0 deny ip destination 172.10.200.0 0.0.0.255
 rule 5 deny ip destination 10.0.0.0 0.255.255.255
 rule 10 deny ip destination 192.168.0.0 0.0.0.255
 rule 15 permit ip source 172.10.200.7 0
 rule 20 permit ip source 172.10.200.11 0
In this way, policy-based routing does not enable the firewall to forward packets that go to the intranet to the extranet interface.
The test after the modification indicates that intrazone NAT works normally.
Root Cause
  1. The command for configuring intrazone NAT on USG5350 V100R003 is different from those on other devices. Maybe the customer uses an incorrect command.
  2. An error occurs on the route.
  3. The software version does not match.
Suggestions
The command for configuring intrazone NAT on USG5350 V100R003 is different from the command on other models. In addition, the relevant guide does not provides a configuration example. As a result, a customer cannot view the configuration information by running the dis cur command, if any is configured for policy source or policy destination. This may cause you to think that the problem occurs because the customer configures intrazone NAT incorrectly.
Review the customer's configuration patiently, and determine whether configuration information relevant to intrazone NAT (for example, policy-based routing in this case) is related to the fault. Do not leave the problem to R&D engineers at will.

END