Policy-based routing leads to user of internal network can’t access web server in other domain

Publication Date:  2012-09-14 Views:  186 Downloads:  0
Issue Description

Double exit port of customer, customer made one policy-based routing like “nat server protocol tcp global 218.5.132.54 www inside 192.168.1.200 www”, customer made another two policy-based routing also,
traffic classifier webserver
if-match acl 3100
traffic classifier user
if-match acl 3200

traffic behavior webserver
remark ip-nexthop 218.5.132.1 output-interface Vlanif2
traffic behavior user
remark ip-nexthop 220.162.12.37 output-interface GigabitEthernet0/0/0
traffic behavior 1

qos policy webserver
classifier webserver behavior webserver
qos policy user
classifier user behavior user
customer applied those two policy-based routing separately on interface.
Configuration of nat:
nat address-group 1 218.5.132.54 218.5.132.54
nat address-group 2 220.162.12.38 220.162.12.38
firewall interzone trust untrust
nat outbound 3100 address-group 1
firewall interzone trust2 untrust2
nat outbound 3200 address-group 2
Domain trust2 couldn’t access web server in domain trust with public network address 218.5.132.54.
Alarm Information
NULL
Handling Process
After modify the configuration:
1、access from PC in trust domain to http server in trust2 domain with 218.5.132.54, service works.
2、access from PC in trust domain to http server(192.168.1.200) in trust2 domain directly, service works.
3、access from public network to http server in trust2 domain with 218.5.132.54, service works.
Modify the acl regulation referenced by device qos in current network:
acl number 3300
rule 1 deny ip destination 192.168.1.0 0.0.0.255
rule 5 permit ip source 192.168.0.0 0.0.0.255
rule 10 deny ip
acl number 3400
rule 1 deny ip destination 192.168.0.0 0.0.0.255
rule 5 permit ip source 192.168.1.0 0.0.0.255
rule 10 deny ip
Root Cause
Data package needs to access untrust domain after conversion because of policy-based routing, and package responded by server send to untrust2 domain directly, and that leads to path difference.  
Suggestions
NULL

END