When a Terminal Accesses a Remote Server Through a Proxy Server, the Translated IP Address of the Server Is Displayed

Publication Date:  2014-01-06 Views:  336 Downloads:  0
Issue Description
The Eudemon 1000E version is V200R001C00SPC600. Three security areas Localoss, SZ, and CAZ are defined on the firewall. The Localoss area is the terminal access area, the SZ zone is the server area, and the CAZ zone is the proxy server area. Each security area connects to the firewall through a Layer 2 switch. The firewall works on Layer 3.
NAT is enabled between the SZ and CAZ areas. The mapping is 192.168.3.2 to 192.168.2.4, in which 192.168.3.2 is the IP address of the proxy server. Packets can be forwarded from the SZ area to Localoss area, and from the SZ area to CAZ area. Packets are filtered from the Localoss area to the SZ area to prevent terminals from directly accessing the SZ area. Terminals must use the proxy server to access the SZ area.

When a PC in the Localoss area accesses a server in the SZ area through the proxy server in the CAZ area, the translated IP address of the remote server (192.168.2.4) is displayed on Internet Explorer of the PC. The IP address of the proxy server (192.168.3.2) is not displayed.
Alarm Information
None
Handling Process
Specify a security area for the public network IP address.
nat server SZ global 192.168.2.4 inside 192.168.3.2
Root Cause
First, check whether a fault occurs on the NAT server.
Before the fault on the NAT server is rectified, the NAT server is configured as follows:
nat server global 192.168.2.4 inside 192.168.3.2
In the preceding command, no security area is specified for the public network IP address. Therefore, each security area knows only the translated IP address of the remote server (192.168.2.4). A reachable route from the PC to 192.168.2.4 exists. After a PC logs in to the proxy server, the translated IP address of the remote server is displayed.
Suggestions
Specify a security area after enabling the NAT server function on the firewall.

END