usg5310 version v100r003, configure outbound direction nat for internal network some segment ip，at the same time mapping a IP address of the network segment to the public network, the address used as mapping public network is different with the addresses that in the nat address pool. After configuration, user can’t access external network on the mapping address host, the simple configuration is as follows:
nat-policy interzone trust untrust outbound
source 192.168.41.0 0.0.0.255
nat address-group 1 220.127.116.11 18.104.22.168
nat server 0 zone untrust global 22.214.171.124 inside 192.168.41.10
The device external network interface address is configured as 126.96.36.199，188.8.131.52 is the sub-interface address.
1. Product configuration has no problem.
2. Let the user on 192.168.41.10 to ping DNS, to view the session.
icmp VPN: public -> public Remote
Find that the nat translation address is not in the nat address pool, is used as the mapping address (this address is not used as nat outbound). Modify the internal network IP address as other same segment addresses that haven’t done mapping, the can access network normally.
3. Add the mapping public network address to outbound address pool or replace the mapping public network address as address pool address, problem can be solved, this ip can access external network normally.
1. Caused by configuration errors.
2. Security policy and third-party causes.
3. Firewalls processing abnormality.
Because address mapping is before the nat address translation in the firewall forwarding packets handle process，so when the internal network ip initiative access external network, goes the address mapping process first and doesn’t go outbound direction nat address translation process, but the mapping public network address isn’t in the nat address pool, so cause the ip can not access external network normally.