After NAT for MA5200F, some web sites cannot be accessed, with the configurations as follows:
nat acl 0 permit 10.10.100.0 0.0.3.255
nat address-group 1 ×.×.×.255 ×.×.×.255
nat outbound 0 address-group 1
1. The route exists, and it could ping to the address of the server at the peer;
2. The server is doubtful. Configure a PC at layer 3 interface of MA5200, and it could access the server at the peer. The server is proved normal;
3. Change the MTU of PC to 1400, but it cannot access the peer server, so the problem is independent of MTU;
4. Capture packets at the user side. It is found that the peer does not respond to the TCP negotiation packet sent by the user. PC may be problematic. But after replacing PC, the problem persists, so it is independent of PC.
5. Check the configurations. We could find that it is ×.×.×. 255 that serves as NAT address. So we conclude that the address ×.×.×.255 should be responsible for failure to access some web sites. The problem is solved as soon as replacing NAT address with non-broadcast address.
The possibilities include:
1. There is no route;
2. The peer server is problematic;
3. The MTU of PC of the user is problematic;
4. NAT translation address is problematic, including address confliction, illegal address, etc.
For this case, although the IP address of ×.×.×.255 for NAT translation could be used as a common IP (CIDR) after adding with a mask, it would be rejected by some servers, resulting in failure of access to them.