No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Intranet Users Cannot Access the Internal Server Using the Server's Public IP Address – nat solution

Publication Date:  2018-02-07 Views:  85 Downloads:  0
Issue Description

a local internet server (server1) under nat server rule can be accessed by remote user (PC2) on the public ip 89.1.1.5 but cannot be accessed by internal network (PC1) using public address 89.1.1.5

 

Handling Process

no reply to the ping from PC1 to 89.1.1.5

Root Cause

B)As the internal user access the server using public IP, the source address used by the packet received by the server is that of the internal network. The ping will come back with destination the internal network address and PC1 will not recognize the reply packet. The packet will not pass in the firewall and pass directly from AR2 to PC1.For these reason PC1 cannot communicate with the internal server using public ip 89.1.1.5.

C)Creating a nat pool and applying a nat source policy to the internal user, the server will reply with an external IP address as source, sending the packet to the firewall, the firewall will send back the reply to the internal that will receive a correct reply. PC1 can communicate with the internal server using public ip 89.1.1.5.



 

Solution

create a source nat from the internal user to the internal server.


nat address-group nat_internal 0
 mode no-pat local
 section 0 89.1.1.25 89.1.1.30

nat-policy
  rule name NAT_from_internal

  source-zone trust
  destination-zone trust­­

  source-address 192.168.3.0 24

  destination-address 192.168.2.0 24

  action nat address-group nat_internal

 

remember to warrant that there is a route to the firewall for the reply packet to the public ip:

[AR2] ip route-static 89.1.1.0 255.255.255.0 192.168.0.2

END