No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

User in intranet can not access in extranet

Publication Date:  2012-09-21 Views:  2 Downloads:  0
Issue Description
xx customer,USG9300 export result in can not access in extranet
Alarm Information
none
Handling Process
Inquire fluid configuration of SPU that XGE subport Whether has stream through
         Do display port xgigabitethernet port-number.subnumber in SPU,check input value display information to inquire fluid configuration
         If input field is 0,means no message into SPU,please see SPU proconfiguration in 《Quidway S9300 Tbit router switch configuration directory -SPU》
     If it is not correct,please do fluid configuration again
If it is correct,please do step 9
If input field is not 0,please do step 2
Inquire NAT Outbound of ACL policy,if permit NAT message pass。
Do display nat outbound in SPU,check if outbound port configure correct  NAT Outbound。
[Quidway]display nat outbound
NAT Outbound Information:
---------------------------------------------------------------------------------------------
Port                     Acl      Address-group/IP      Type
---------------------------------------------------------------------------------------------
XGigabitEthernet0/0/2.1      2000                  1        no-pat
---------------------------------------------------------------------------------------------
  Total : 1  

View information we can know outbound of port XGigabitEthernet0/0/2.1 associated ACL is 2000
Then inquire whether ACL 2000 policy correct or not,if not configure correct ip address,port number or protocol type,will result in message can not passed network normally
Use command display acl 2000 review NAT outbound associated configuration
[Quidway] display acl 2000
Advanced ACL2000, 1 rule
Acl's step is 5
rule 5 permit source 192.168.1.100 0
We can see from ACL policy,type of message is TCP,only source is 192.168.1.10 can matching this ACL policy
If ACL configuration was not correct,please configure it again
If ACL configuration was correct,fault is also existing,please do step 3
Inquire address pool
Do display nat address-group inquire whether binding address in NAT outbound in outbound port or not
[Quidway] display nat address-group 1
NAT Address-Group Information:
--------------------------------------
Index   Start-address      End-address
--------------------------------------
1       110.0.0.100         110.0.0.110
--------------------------------------
Total : 1    

For easy ip,require to do command display nat outbound in SPU to check information

[Quidway]display nat outbound
NAT Outbound Information:
-----------------------------------------------------------------
Port                    Acl      Address-group/IP      Type
-----------------------------------------------------------------
XGigabitEthernet0/0/1.200    2000            30.30.30.1    easyip
-----------------------------------------------------------------
  Total : 1       
From above information we can knew,configuration of outbound port XGigabitEthernet0/0/1.200 is esay ip,and binding address pool is reported address 30.30.30.1。if NAT can not access,need to affirm
Binding ip address is ip address of port?if it is,we need to ensure validity of port address
Binding ip address is VRRP virtual address?if it is,at first,we need to ensure validity of port address,then ensure state of VRRP is Master,can do display vrrp to check VRRP state of this port
Root Cause
• User accessing inbound/outbound port of public network state down
• Did not configured NAT outbound in inbound/outbound port of public network
• ACL configuration not correct referenced by NAT outbound
Suggestions
none

END