No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG9300 do NAT server public network mapping unsuccessful, lead to the network can't access server

Publication Date:  2012-10-10 Views:  80 Downloads:  0
Issue Description
USG9300 firewall (version software is the USG9300 V100R001C01SPC001) configured NAT server and binding virtual firewall, at the same time other configurations are all normal. But the public network can't access server. No session information record. 
Alarm Information
None.
Handling Process
Step 1: after communicated with customers, we know that the same configuration in the original entity firewall operated normally. So eliminate address problems.
Step 2: the customer internal network users can ping external interface, and firewall can ping public network entry address, eliminate routing problem.
Step 3: After analysis the configuration, confirmed that the problem is virtual firewall configuration problem.
Step 4: configuration analysis is as follows:
The original configuration is
nat server  protocol tcp global 119.6.249.10 3389 inside 10.190.5.3 3389 vpn-instance fw2
Only in the final binding virtual firewall.
Correct configuration is
              nat server zone vpn-instance fw2 trust protocol tcp global 119.6.249.10 3389
              inside 10.190.5.3 3389 vpn-instance fw2
               nat server zone vpn-instance fw2 untrust protocol tcp global 119.6.249.10 3389
              inside 10.190.5.3 3389 vpn-instance fw2
 Description: when configure the virtual firewall’s NAT server, because our company’s virtual firewall is based on VPN multiple instance, need do configuration to the domain based on virtual firewall. The trust domain is to satisfy domain users can access server through the public network address (need to do domain NAT). If the region are all NAT server, then only need configure article 2.
Root Cause
A, NAT server mapping is not successful, lead to external cannot through the server public network address access server.
B, public IP has been occupied, lead to mapping is not successful.
C, firewall routing has a problem, the network layer failure causes public network can't access server.
This reason is NAT server mapping is not successful, and lead to public network can't access server.
Suggestions
None.

END