The internal network PC can’t through the public network IP access the WEB service

Publication Date:  2012-10-27 Views:  282 Downloads:  0
Issue Description
Problem description: the customer internal network has many sets of WEB server, after configured NAT address mapping in the fire wall, one of them in external network can through the public network IP access to WEB service, in internal network can through the private network IP access to WEB service, in the internal network can’t through the public network IP access the WEB service. The other servers all access normally.
Network topology:
Alarm Information
Handling Process
1, forbid the other NIC (192.168.18.X/24) of WEB server, can solve it.

2, if can't forbid the other NIC, configure outbound direction NAT conversion between TRUST and DMZ domain. After the configuration the server will return the bag to the firewall, then return it to the PC. The configurations are as follows:

configure address pool:
[USG5310]nat address-group 5
configure NAT policy:
[USG5310]nat-policy interzone trust dmz outbound
[USG5310-nat-policy-interzone-trust-dmz-outbound]policy 0
[USG5310-nat-policy-interzone-trust-dmz-outbound-0]action source-nat
[USG5310-nat-policy-interzone-trust-dmz-outbound-0]policy source
[USG5310-nat-policy-interzone-trust-dmz-outbound-0]address-group 5
Root Cause
Because the customer WEB server is double NIC, and the IP address of the other NIC is in the same network segment with office network PC. Customers has already closed the link session state function in the firewall, PC uses the private network address access WEB service, there is session in firewall, server directly from the internal exchange back to the PC when answers the service request packet. After opened the link session state function, using the private network IP cannot access. When access through the public network address, server is directly use the private network address return the package, the PC will discard the returned package, leading to access unsuccessful.