No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The problems the host access to the external network after NAT server mapping

Publication Date:  2012-10-10 Views:  49 Downloads:  0
Issue Description
If NAT server configured the whole mapping, then whether the host configured the whole mapping can directly online without configuring NAT outbound direct online?
According to the practical experience of more than 400 engineers, as if each product is not the same.
Some hosts can online directly without configuring NAT outbound, and some must be installed with NAT outbound.

For example:
internal Server---------------FW----------------public network
After configured NAT server in FW, if the internal network server active launch access to outside, then whether need to configure NAT outbound on FW?
Alarm Information
None.
Handling Process
None.
Root Cause
This problem according to the product is different, generally divided into two kinds of processing mode:
A, Eudemon1000 treatment:
1 configure global Nat Server
The NAT server regardless of whether or not with “No-Reverse”, the inside address can't directly access public network, needs fit to use with “Nat Outbound/Inbound”.
2 configure the NAT server based on the domain, does not support configure No-Reverse, divided into two kind of situations:
Assume that public network in “untrust” domain,
If the configured NAT server is based “on untrust” domain, then the internal network can access public network without configuring NAT outbound;
If the configured NAT server is not based on untrust domain, then the internal network server can access public network only with configuring NAT outbound
B, Eudemon1000E treatment:
1 configure global Nat Server
1.1 configure the NAT server without “No-Reverse”
Inside address can directly access to public network
1.2 configure the NAT server with “No-Reverse”
Inside address can't directly access public network, needs fit to use with “Nat Outbound/Inbound”
2 configure the NAT server based on the domain, does not support configure No-Reverse
such as: nat server zone untrust global 202.10.1.1 inside 192.168.1.1
2.1 Assume the purpose public network address is in “untrust” area, the inside user is in “trust” area.
Inside address can directly access to public network address, and transform the address to the NAT Server’s G address.
In addition, for the external address, only the “untrust” address can access the global address.
2.2 Assume the purpose public network address is not in “untrust” area, the inside user is in “trust” area.
Inside address can’t directly access to public network address, and will do source address translation through “Nat Outbound/Inbound”.
Other products such as: E8000E, USG9100, E200E, SRG VxR5 version processing conditions are the same as E1000E.
Suggestions
None.

END