No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Policy-based Route Causes Intranet Users Unable to Access Web Servers in Other Zones

Publication Date:  2012-07-24 Views:  2 Downloads:  0
Issue Description
The customer adopts dual egresses, and configures nat server protocol tcp global 218.5.132.54 www inside 192.168.1.200 www.
The customer configures two policy-based routes.
traffic classifier webserver
 if-match acl 3100
traffic classifier user
 if-match acl 3200

traffic behavior webserver
  remark ip-nexthop 218.5.132.1 output-interface Vlanif2
traffic behavior user
  remark ip-nexthop 220.162.12.37 output-interface GigabitEthernet0/0/0
traffic behavior 1

qos policy webserver
 classifier webserver behavior webserver
qos policy user
 classifier user behavior user
The customer applies the two policy-based routes to the interface.
NAT configuration
nat address-group 1 218.5.132.54 218.5.132.54
 nat address-group 2 220.162.12.38 220.162.12.38
firewall interzone trust untrust
 nat outbound 3100 address-group 1
firewall interzone trust2 untrust2
 nat outbound 3200 address-group 2
Users in Trust 2 cannot access the Web server in the Trust zone through public IP address 218.5.132.54.
Alarm Information
None.
Handling Process
After the configuration is modified:
1. The PC in the Trust zone accesses the HTTP server in Trust 2 through 218.5.132.54 The service is normal.
2. The PC in the Trust zone accesses the HTTP server in Trust 2 through 192.168.1.200 The service is normal.
3. The PC on the public network accesses the HTTP server in Trust 2 through 218.5.132.54. The service is normal.
Modify the QoS on the live network and reference the ACL rule:
acl number 3300
 rule 1 deny ip destination 192.168.1.0 0.0.0.255
 rule 5 permit ip source 192.168.0.0 0.0.0.255
 rule 10 deny ip
acl number 3400
 rule 1 deny ip destination 192.168.0.0 0.0.0.255
 rule 5 permit ip source 192.168.1.0 0.0.0.255
 rule 10 deny ip
Root Cause
The policy-based route makes the data packet access the Untrust zone after NAT. However, the server directly sends the reply packet to Untrust 2, making incoming and outgoing paths inconsistent.
Suggestions
None.

END