Configuring NAT Server on the Eudemon 1000E-U/X and a PC Failing to Access a Server

Publication Date:  2013-05-02 Views:  871 Downloads:  0
Issue Description
Networking architecture: PC------Eudemon 1000E-U/X-----server

Service description: Intranet users configure NAT Server through the Eudemon 1000E-U/X and extranet users access the server through the NAT Server.
Alarm Information
On the firewall, set port mapping. In this case, only some Web pages can be displayed if users access the server through extranet PCs. nat server protocol tcp global 10.228.187.128 18888 inside 10.172.10.99 18888 vrrp 5 nat server protocol tcp global 10.228.187.128 18443 inside 10.172.10.99 18443 vrrp 5 If global mapping is configured on the firewall, users can properly access the server. See the following: nat server protocol tcp global 10.228.187.128 any inside 10.172.10.99 any vrrp 5.
Handling Process
1. After port-based mapping and full-mapping are configured, check session table information. The result shows that the following bidirectional NAT session table occurs as follows when global mapping is configured. tcp  VPN: public -> public Zone: trust -> trust  TTL: 00:00:10  Left:  timeout Interface: G0/0/0  Nexthop: 10.172.11.249  MAC: 00-00-5e-00-01-17 <-- packets:12 bytes:2297   --> packets:18 bytes:3680 10.172.10.99:46915[10.228.187.128:46915]-->10.228.187.128:18888[10.172.10.99:18888] 2. In addition to ports 18888 and 18443, the PC can access other ports. Capture packets on the PC. The result shows that the PC does not access other ports of the server.  3. If the PC does not access other ports of the server, the server automatically accesses other addresses. Capture packets. The result shows that the server accesses the global address of the server itself. In this case, configure intrazone NAT or NAT Server with full mapping.

2. In the case of full mapping, the server with the IP address of 10.172.10.99 accesses the device with the IP address of 10.228.187.128. In this case, flows in two directions hit one NAT Server to implement bidirectional NAT. Because the source port of the initiator is not numbered 18888, only the forward NAT is hit. The source address for sending packets to the server is still 10.172.10.99, the PC does not send any response packet because the IP address request carried in the packet is 10.228.187.128 instead of 10.172.10.99. This is why packets are not successfully captured.
Root Cause
When users access the server through PCs, the server is required to access some services on the server itself through the global address of NAT Server. However, ports of these services are not configured with NAT Server. To solve this problem, configure the intrazone NAT.
Suggestions
To solve this kind of issue, intrazone NAT need to be configured.

END