No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Some Public IP Addresses Fail to Access an Intranet Server After the NAT Server Function Is Configured on USGs

Publication Date:  2014-01-06 Views:  125 Downloads:  0
Issue Description
In the following networking, two USG firewalls and two NE40 routers run Open Shortest Path First (OSPF) to advertise the IP addresses of the intranet server and carrier network. Static routes are configured on USGs. Packets destined for the Telecom network are forwarded by USG-1, and packets destined for the Unicom network are forwarded by USG-2. After the NAT server function and port mapping of an office intranet server are configured on USG-2, some public IP addresses fail to access this server, while some can.



Alarm Information
None
Handling Process
1. Check configurations on two USGs. The configurations are correct.
2. The carrier network connected to USG-2 may be faulty, or the mapped port is restricted. On USG-2, modify the configurations by mapping the entire IP address pool. The fault persists. Communicate with the carrier, and find that no restriction is configured.
3. Check configurations on two USGs. Default routes are configured on the USGs.
USG-1: ip route-static 0.0.0.0 0.0.0.0  X.X.X.X
USG-2: ip route-static 0.0.0.0 0.0.0.0  X.X.X.X
Both the default routes are advertised to the two NE40s. Therefore, the NE40s have two default routes. Check configurations of specific static routes on the two USGs. Specific routes to the Telecom or Unicom do not cover all IP addresses on the entire network. The NE40s send packets that match no specific route through the two default routes. Incoming packets destined for the intranet server from an extranet are forwarded by USG-2. However, outgoing packets may reach USG-1. USG-1 will discard the packets since it has no session containing the server IP address. As a result, access to the intranet server fails.
4. Use one of the following methods to rectify the fault:
a. Disable the status check function on the two USGs. This method provides low security and is not recommended.
b. Configure the NAT server function on the two USGs. In this way, IP addresses of different carriers can access the public IP addresses of different server.
c. Configure specific routes for destination IP addresses on USG-2. Specific routes have high priorities based on the route matching rule. Packets are returned along the original path.
d. Configure both NAT server and source-based NAT for incoming packets so that returned packets can reach USG-2. However, the source IP address cannot be recorded, which does not meet the security audit requirement.
Root Cause
1. The device configuration is incorrect.
2. A fault occurs on the carrier network.
3. The route configuration on the firewall or router is incorrect.
Suggestions
All the preceding methods can resolve the problems; however, they all have disadvantages. In method b, extranet users must know the local network provider. Method c requires heavy configuration workload and is not applicable to extranet dialup users. The optimal solution is to change the network structure by replacing the two firewalls with a firewall providing higher performance.

END