Failure in Accessing the NAT Server Due to the Incorrect ACL Configuration on the E8080E

Publication Date:  2013-12-31 Views:  455 Downloads:  0
Issue Description
In the web TV application scenario at a site, two Eudemon 8080E devices are used to function as both firewalls and NAT servers. The NAT server configuration is completed, and a packet filtering policy is configured to allow any sources to access the intranet server's public IP address. The firewalls use the blackhole route to advertise this public IP address. Uplink and downlink devices of the firewalls run Open Shortest Path First (OSPF) and are injected with static routes. Check routing tables on the uplink and downlink devices. It is found that the devices have learned the intranet server's public IP address through OSPF, but they cannot access the intranet server through this public IP address.
Eudemon 8080E version: V100R003C00SPC200
Alarm Information
None
Handling Process
1. Ping the intranet server's public IP address ***.235.32.*** from the public network or a remote end. No response packet is received.
2. Check detailed information about the session table.
          display firewall session table verbose destination globe ***.235.32.***///Session statistics about received packets are normal before NAT, but the number of sent packets is 0.
Based on the preceding analysis, packets reach the firewall properly, but packet loss occurs on the firewall.
3. Check the ACL configuration. The destination IP address referenced in the incoming packet filtering policy is the NAT server's public IP address. The Eudemon 8080E performs NAT on incoming packets first, and then matches the packet filtering policy.
The firewall performs NAT on the normal incoming packets. As a result, the destination IP address of the packets does not match that in the ACL, leading to packet loss on the firewall (0 outgoing packets).
The address set configuration referenced in the ACL is as follows:

ip address-set nasiriyahunicast
address 1 ***.235.32.*** 0.0.0.255 //The intranet server's public IP address is used.
#
4. Change the destination address in the ACL to the intranet server's private IP address. The NAT service recovers.
The modified address set configuration is as follows:
#
ip address-set nasiriyahunicast
address 1 192.168.1.254 0.0.0.255 //The intranet server's private IP address is used.
#

5. Modify the ACL configuration.
#
ip address-set nasiriyahunicast
address 1 192.168.1.254 0.0.0.255            //The intranet server's private IP address is used as the destination address set.
#
ip port-set internetscr protocol tcp  port 1 eq 12345                          //Service port set
          port 2 eq www
#
  acl number 300*           //ACL based on the destination address set and service port set
      description trust-untrust-inbound
      rule 25 permit tcp destination address-set nasiriyahunicast destination-port port-set internetscr
      rule 1000 deny ip

Root Cause
1. The firewall fails to advertise the intranet server's public IP address to the public network, resulting in unreachable routes.
Check routing tables on the uplink and downlink devices. The route that is destined for the intranet server's public IP address (specified using the nat server global command and advertised by OSPF) exists in the routing tables.
2. Check whether the inter-domain security policy allows traffic to pass through.
Check the inter-domain security policy on the firewall. It is found that the intranet server's public IP address is added to an ACL, and the policy in the ACL is permit.
3. Check whether traffic reaches the firewall.
Check the session table. The session indicating a successful NAT operation exists.
     HRP_M<***-***TV-8080E-01>display firewall session table
     http VPN: public --> public **.99.***.***:1044 --> ***.235.***.***:80[10.***.***.5:332**]
4. Check the server-map table. The mapping between IP addresses and ports of NAT has been established.
HRP_M<***-***TV-8080E-01>display firewall server-map
11:20:18  2012/06/23
ServerMap item(s) on slot 7 cpu 0
------------------------------------------------------------------------------
  Type: Nat Server,  ANY -> ***.235.32.***:80[10.***.***.5:12345],  Zone:---
Protocol: tcp(Appro: http),  Left-Time:---,  NatAddrPool: ---
Vpn: public -> public
Suggestions
The Eudemon 8080E performs NAT on packets first, and then matches the ACL of the inter-domain packet filtering policy. Therefore, the packet filtering policy used for NAT must use the translated IP address after translation.

END