After R3680E enables nat Switch, the Internet cannot communicate with R3680E

Publication Date:  2012-07-27 Views:  123 Downloads:  0
Issue Description
1) Any address of the Internet cannot communicate with the Internet address of R3680E, the out interface of Internet does nat switch.
   
2)Collect the configuring information, and detect the ACL is error: the rule defined by ACL has permit any.


Alarm Information
Networking: interior network----firewall---3680e-------Internet

any address of the Internet cannot communicate with the Internet address of 3680e, the out interface of Internet enable nat switch.


Handling Process
Delete permit any rule in ACL and allow the special private network address switch only and eny other unwanted network segments, recite the rule, the problem is solved.

Root Cause
Use one interface address to do nat address, communicate with the after-switching interface address, at this time, nat interface can receive icmp echo, but icmp reply will generate one nat entry because of ACL definition, as nat switches, icmp mirros via identifier and port, then as icmp reply identifier differs from echo,the above nat interface address is uncommunicated.

END