According to session information to solve the address mapping problem

Publication Date:  2012-11-05 Views:  99 Downloads:  0
Issue Description
The public network------fw------sw----server
There is an ERP server in an office site, and when use the intranet to access only by inputting IP addresses and related information at the client software can access, but the public network can't access after address mapping, the Server can access the intranet.
nat server 0 protocol tcp global 59.46.35.211 1433 inside 176.16.1.2 1433
nat server 1 protocol tcp global 59.46.35.211 768 inside 176.16.1.2 768
nat server 2 protocol tcp global 59.46.35.211 769 inside 176.16.1.2 769
Alarm Information
none
Handling Process
1.Telnet to check the configuration and it is correct.
2.check the session and find the route and nat server configuration is correct:
[USG2100]dis firewall session table destination inside 176.16.1.2
16:38:27 2012/03/27
Current Total Sessions : 1
tcp VPN:public --> public 59.46.35.210:14416-->59.46.35.211:769[176.16.1.2:769]
3. Check whether there is deny port or access on the Server
undo nat server 0
undo nat server 1
undo nat server 2
nat server global 59.46.35.211 inside 176.16.1.2
The access is ok. Customers check session many times and find the established connection exist other port

[USG2100]dis firewall session table destination inside 176.16.1.2
tcp VPN:public --> public 222.186.26.58:6000-->59.46.35.211:6666[176.16.1.2:6666]
tcp VPN:public --> public 124.227.192.165:6000-->59.46.35.211:8909[176.16.1.2:8909]
tcp VPN:public --> public 124.227.192.165:6000-->59.46.35.211:9415[176.16.1.2:9415]
tcp VPN:public --> public 119.139.120.32:4866-->59.46.35.211:769[176.16.1.2:769]
tcp VPN:public --> public 119.139.120.32:4973-->59.46.35.211:769[176.16.1.2:769]
4. Add address mapping port, and can access after check
undo nat server 0
nat server 0 protocol tcp global 59.46.35.211 1433 inside 176.16.1.2 1433
nat server 1 protocol tcp global 59.46.35.211 768 inside 176.16.1.2 768
nat server 2 protocol tcp global 59.46.35.211 769 inside 176.16.1.2 769
nat server 3 protocol tcp global 59.46.35.211 6666 inside 176.16.1.2 6666
nat server 4 protocol tcp global 59.46.35.211 8909 inside 176.16.1.2 8909
nat server 5 protocol tcp global 59.46.35.211 9415 inside 176.16.1.2 9415
Root Cause
1. Configuration problem
2. Carrier or server denied some ports
3. The port configuration is not whole
Suggestions
By configuring full-mapping can eliminate interference of firewall and server itself a certain extent, and also to the access port

END