No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Address mapping and address translation match sequence priority lead the internal network can’t access external network

Publication Date:  2012-12-14 Views:  56 Downloads:  0
Issue Description
usg5310 version v100r003, configure outbound direction nat for internal network some segment ip,at the same time mapping a IP address of the network segment to the public network, the address used as mapping public network is different with the addresses that in the nat address pool. After configuration, user can’t access external network on the mapping address host, the simple configuration is as follows:

nat-policy interzone trust untrust outbound
  policy 1
  action source-nat
  source 192.168.41.0 0.0.0.255
  address-group 1
nat address-group 1 111.113.42.244 111.113.42.254
nat server 0 zone untrust global 111.113.42.246 inside 192.168.41.10
The device external network interface address is configured as 111.113.42.244,111.113.42.246 is the sub-interface address.
Alarm Information
None
Handling Process
1. Product configuration has no problem.
2. Let the user on 192.168.41.10 to ping DNS, to view the session.
       icmp  VPN: public -> public Remote
       192.168.41.10:768[111.113.42.246:768]-->202.100.96.68:768
Find that the nat translation address is not in the nat address pool, is used as the mapping address (this address is not used as nat outbound). Modify the internal network IP address as other same segment addresses that haven’t done mapping, the can access network normally.
3. Add the mapping public network address to outbound address pool or replace the mapping public network address as address pool address, problem can be solved, this ip can access external network normally.
Root Cause
1. Caused by configuration errors.
2. Security policy and third-party causes.
3. Firewalls processing abnormality.
Suggestions
Because address mapping is before the nat address translation in the firewall forwarding packets handle process,so when the internal network ip initiative  access external network, goes the address mapping process first and doesn’t go  outbound direction nat address translation process, but the mapping public network address isn’t in the nat address pool, so cause the ip can not access external network normally.

END