No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

E1000 interface addresse NATserver result in 1701 the port mapping internal network server failure

Publication Date:  2014-12-29 Views:  55 Downloads:  0
Issue Description
E1000 interface address does NATSERVER by using port 1701 through the web server port mapping, but the services are unavailable.  E1000 public network side interface (untrust domain) configured with an IP address 218.X.Y.230, port 1701 does NATSERVER port mapping through the web server, but the server within the internal network services are unavailable;
Handling Process
1, the first configuration check, configuration is correct:

interface GigabitEthernet1/0/0
description TO-11F-S3928
ip address 218.X.X.230 255.255.255.248

firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0

nat server protocol udp  global 218.X.X.230 1701 inside 135.X.X.112 1701 

2, investigation accessibility, found that users configure port mapping for the 442, 443 of the business were normal. So the routing and firewall basic function work properly, configuration as follows:

nat server protocol udp global 218.X.X.230  442 inside 135.X.X.112  442

session as below:
  udp, (vpn: public -> public)
  zone: untrust -> trust   tag: c0400002
  ttl: 00:02:00  left: 00:01:58  Id: 522874
  <-- packets:39328 bytes:10212480   --> packets:52713 bytes:26329632
  218.X.X.230:442[135.X.X.112:442]<--1.204.X.235:3953

3, check the port 1701 session, found there is no entry for port 1701; Other port mapping can be a normal visit, it is suspected lead to inter-zone policy filtering, but the interzone policy were all permit. (excluding the server prior to 1701 the port application needs to use other ports):

#
interzone trust untrust
packet-filter 3000 inbound
packet-filter 3000 outbound
nat outbound 3002 address-group 0
session log enable acl-number 3002 inbound
session log enable acl-number 3002 outbound
#

[2F-BOSS-E1000]dis acl 3000
Advanced ACL  3000, 8 rules,not binding with vpn-instance
Management
Acl's step is 5
rule 1 permit ip source 135.10.20.0 0.0.0.255
rule 2 permit ip source 135.10.21.0 0.0.0.255
rule 3 permit ip source 135.10.19.0 0.0.0.128
rule 5 permit icmp
rule 10 permit tcp
rule 15 permit udp
rule 20 permit ip source 135.10.17.0 0.0.0.64
rule 3000 permit ip


4, found out that port 1701 is default port for the L2T, suspected E1000 old products do exist restriction mapping;
After research confirmed that when the firewall interface address as NATSERVER public IP address, destination port for receiving packets of 1701, it was sent to the CPU, and check the firewall L2tp function is not enabled, the packets will be discarded;
Root Cause
E1000 firewall version V200R006C02B066, for the interface NATSERVER are restricted when using port mapped address some special protocol might has some exception on handling port mapping;
Solution
Replacing NATserver address non-interface to modify the server address or port mapping, after modified NATserver address interface to non-interface address, problem solved and configuration as follows:
  nat server protocol udp global 218.XX231 1701 inside 135.XX112 1701

END