Solution to Intra-NAT unreachable issue

Publication Date:  2013-10-31 Views:  291 Downloads:  0
Issue Description

Firewall  hrough nat server mapping public IP addresses are mapped to the network server. Intranet users on the public network through the nat outbound. Intranet users can access through the region nat intranet server public IP address.
Alarm Information
None
Handling Process
The reason is because the firewall is configured on a domain-based nat server mapping , the above
nat server 18 zone dx protocol tcp global X.X.138.78 ftp inside Y.Y.90.15 ftp
Configuration , only come from dx packet domain access X.X.138.78 will be transformed , and the user is a trust zone within the network , so users coming from the trust zone is not going to hit the nat server entries , so network users can not address to be accessed through the public network .
Domain-based nat server the following meanings:

1.  Internal network from outside the network access server, if you want to hit the nat server domain-based mapping , the access client must belong to the domain.

2.  From the internal network to access out , you want to be the source nat conversion , only the domain for the domain of the time will be converted , if you configure the no-reverse option, no conversion.
From the above analysis of the two points of view, in order to solve network users to access through public IP addresses within a network server, you can have the following two solutions.

a)  Configuration is based on the global nat server.
nat server 18 protocol tcp global X.X.138.78 ftp inside Y.Y.90.15 ftp
nat server 19 protocol tcp global X.X.219.177 ftp inside Y.Y.90.15 ftp
Since these two can not configure it, because Y.Y.90.15 converted during source nat , the firewall can not determine is converted into X.X.138.78 or X.X.219.177. So if you want to configure it, you need to increase the no-reverse argument, not allow access to the network server actively went out, for nat conversion. configuration changes as follows:

nat server 18 protocol tcp global X.X.138.78 ftp inside Y.Y.90.15 ftp no-reverse
nat server 19 protocol tcp global X.X.219.177 ftp inside Y.Y.90.15 ftp no-reverse

b)  Increase the nat server based on trust zone configuration.
Based on the above already have dx and lt domain nat server, if the network users also want to access through public IP addresses within the network server, the trust has also increased within a nat server. Configuration is as follows :
nat server 20 zone trust protocol tcp global X.X.138.78 ftp inside Y.Y.90.15 ftp
Original two nat server remain unchanged.
nat server 18 zone dx protocol tcp global X.X.138.78 ftp inside Y.Y.90.15 ftp
nat server 19 zone lt protocol tcp global X.X.219.177 ftp inside Y.Y.90.15 ftp
Modified for ftp testing and validation , to see firewall sessions are as follows:
    ftp VPN: public -> public
   Zone: trust-> trust TTL: 00:02:00  Left: 00:01:59
    Interface: G0/0/2  Nexthop: 192.168.201.2  MAC: 00-00-00-00-00-00
    <-- packets:11 bytes:2564   --> packets:21 bytes:3564
    192.168.12.24:4236[1.1.1.1:32814]--> X.X138.78:23[Y.Y.90.15:23]
Root Cause
 customers has two zones, one is dx (telecom), one lt (Unicom), internal is the trust zone, so the external network to access the network server, the firewall is configured on the domain-based NAT SERVER, for example as follows:
nat server 18 zone dx protocol tcp global X.X.138.78  ftp inside Y.Y.90.15 ftp
nat server 19 zone lt protocol tcp global X.X.219.177 ftp insideY.Y.90.15 ftp
All zones come from dx ftp access X.X.138.78's business, can be mapped to the intranet server Y.Y.90.15, from access to X.X.219.177 lt domain over the ftp service can also be mapped on to the network server 10.72.90.15.

Customers user intra-nat features let users within the network access through public IP addresses internal network server,

nat address-group 10 1.1.1.1 1.1.1.1
nat-policy zone trust
policy 0
  action source-nat
  address-group 10

However, users have been unable to access the network from the ftp session of view, and not for the destination nat mapping.

  ftp VPN: public -> public
  Zone: trust-> dx  TTL: 00:00:05 Left: 00:00:04
  Interface: G0/0/1  Nexthop: X.X.138.65  MAC: 00-00-00-00-00-00
  <-- packets:0 bytes:0   --> packets:0 bytes:0
  192.168.12.24:3452[1.1.1.1:36847]--> X.X.138.78:23
Suggestions
1. Internal network from outside the network access server, if you want to hit the nat server domain-based mapping, the access client must belong to the domain.
2. From the internal network to access out, you want to be the source nat conversion; only the domain for the domain of the time will be converted, if you configure the no-reverse option, no conversion.

END