usg5320 do nat server mapping to a private network server , using private IP addresses in the private network can telnet to the server, but can not telnet to the server using the external network address.
1.View packet filtering and related configuration, no problems
2.Check the acl list: in the rules, order to control allow access to the server address range is behind the rule “rule deny ip”, can not hit acl.
3.Need to publish the telnet server and initiate telnet connection address belong to the same trust domain, and domain nat the acl check references found the source and destination addresses in the acl belong to different domains.
1. May interzone packet filtering is not open;
2. May Acl rules improper filtration;
3. Private network segment and do the telnet server address mapping belong to a security domain;
4.Within the nat configuration is correct or not.
1.The user adjust the acl order, to ensure acl able to be hit;
2.Change acl within the domain for the source and destination addresses in the same domain.
Summary: Note the matching order in acl configuration; .attention to check the source and destination are correct or not.