Some web sites cannot be accessed after NAT for MA5200F

Publication Date:  2012-07-27 Views:  104 Downloads:  0
Issue Description

After NAT for MA5200F, some web sites cannot be accessed, with the configurations as follows:
 nat acl 0 permit 10.10.100.0 0.0.3.255
 nat address-group 1 ×.×.×.255 ×.×.×.255
 nat outbound 0 address-group 1



 



 



 



Alarm Information
No


Handling Process

1. The route exists, and it could ping to the address of the server at the peer;
2. The server is doubtful. Configure a PC at layer 3 interface of MA5200, and it could access the server at the peer. The server is proved normal;
3. Change the MTU of PC to 1400, but it cannot access the peer server, so the problem is independent of MTU;
4. Capture packets at the user side. It is found that the peer does not respond to the TCP negotiation packet sent by the user. PC may be problematic. But after replacing PC, the problem persists, so it is independent of PC.
5. Check the configurations. We could find that it is ×.×.×. 255 that serves as NAT address. So we conclude that the address ×.×.×.255 should be responsible for failure to access some web sites. The problem is solved as soon as replacing NAT address with non-broadcast address. 



Root Cause

 The possibilities include:



1. There is no route;
2. The peer server is problematic;
3. The MTU of PC of the user is problematic;
4. NAT translation address is problematic, including address confliction, illegal address, etc.
For this case, although the IP address of ×.×.×.255 for NAT translation could be used as a common IP (CIDR) after adding with a mask, it would be rejected by some servers, resulting in failure of access to them.




 



Suggestions
After NAT for broadcast address, some servers could respond to the broadcast address normally and reply the packet from a user, but some servers regard it as illegal and discard it directly, resulting in failure to open web page.  


END