防火墙做NAT server后dmz区域的一台服务器无法ping通

发布时间:  2017-05-16 浏览次数:  83 下载次数:  0
问题描述

1.客户做完NAT server后反映DMZ区域内一台服务器无法ping通和正常使用.

2.组网如下:



客户需求:外网访问211.x.x.11的80端口先到211.x.x.10的80端口通过映射到211.x.x..11配置如下:

nat server  protocol tcp global 211.x.x.10 www inside 211.x.x.11 www


告警信息

%2017-05-10 11:06:02 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:57 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:57 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:52 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:47 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:45 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:42 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:41 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!
%2017-05-10 11:05:37 FW-1 %%01ARP/4/DUP_IPADDR(l): Receive an ARP packet with duplicate ip address 211.x.x.10 from GigabitEthernet1/0/7, source MAC is 1411-7766-7281!

处理过程

1.查看服务器均正常IP存在且没有宕机

2.检查安全策略等均正常

3.把配置的nat server  protocol tcp global 211.x.x.10 www inside 211.x.x.11 www 命令删除以后,在防火墙上可以正常ping通,dmz区域

服务器的网关在防火墙上。

4.当把nat server  protocol tcp global 211.x.x.10 www inside 211.x.x.11 www 命令再次配置上以后还是能ping通211.x.x.10,但是过一会儿就

Ping不通了。

根因

当在防火墙上配置了nat server  protocol tcp global 211.x.x.10 www inside 211.x.x.11 www以后ARP表中会存在211.x.x.10表项,当从连接DMZ区域的G1/0/7口收到同一个IP地址211.x.x.10后

地址冲突了,因此在防火墙上刚添加NAT server时可以ping通211.x.x.10地址,过一会儿就ping不通了。


解决方案

配置NAT server的global地址时,global地址不能为一个被服务器或者PC使用的地址,地址必须是空闲,否则会存在地址冲突的问题。

END