Intranet Users Were Unable to Access the Public IP Address of the Internal Server Due to Incorrect NAT Server Configuration

Publication Date:  2015-07-03 Views:  505 Downloads:  0
Issue Description
Network Topology:

The firewall uses NAT server mapping to map the private address of the internal server to a public address. The users on the intranet access the Internet using NAT outbound.




Symptom:

The users on the intranet were unable to access the public IP address of the internal server through NAT.
Handling Process
The inside interface was assigned to the trust zone, the outside interface connected to carrier A was assigned to the dx zone, and the outside interface connected to carrier B was assigned to the lt zone. To allow users on the Internet to access the internal server, NAT server was configured on the firewall:

nat server 18 zone dx protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp 
nat server 19 zone lt protocol tcp global 220.248.x2.y2 ftp inside 10.72.90.15 ftp


The FTP traffic destined from the dx zone to 117.40.x1.y1 and the FTP traffic destined from the lt zone to 220.248.x2.y2 was sent to the internal server (10.72.90.15).
Intrazone NAT was implemented so that the users on the Internet were able to access the public address mapped to the internal server.


nat address-group 10 1.1.1.1 1.1.1.1
nat-policy zone trust
policy 0
  action source-nat
  address-group 10


However, the users on the intranet were unable to access the public address mapped to the internal server and destination NAT was not implemented.

ftp VPN: public -> public 
  Zone: trust-> dx  TTL: 00:00:05 Left: 00:00:04
  Interface: G0/0/1  Nexthop: 117.40.138.65  MAC: 00-00-00-00-00-00
  <-- packets:0 bytes:0   --> packets:0 bytes:0
  192.168.12.24:3452[1.1.1.1:36847]--> 117.40.x1.y1:23


The NAT was configured based on zones, as shown in the command nat server 18 zone dx protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp no_reverse. NAT is implemented only for the traffic destined from the dx zone to 117.40.x1.y1. The users on the intranet belong to the trust zone and users from the trust zone were unable to match any NAT server mapping entry and were unable to access the public address mapped to the internal server. Zone-based NAT server is described as follows:

1. For users on a public network to match a zone-based NAT server entry, the users must belong to the zone.
2. To allow users from the intranet to access the public address mapped to the internal server, the source address of the traffic must also be translated. If the no-reverse option is selected, the source address will not be translated.

Therefore, to allow users on the intranet to access the public address mapped to the internal server, either of the following methods can be used.

1. Configure a global NAT server
.

nat server 18 protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp
nat server 19 protocol tcp global 220.248.x2.y2 ftp inside 10.72.90.15 ftp 
These two commands cannot be configured simultaneously because the firewall cannot determine whether to translate 10.72.90.15 to 117.40.x1.y1 or 220.248.x2.y2. Therefore, the no-reverse parameter must be used so that NAT is not implemented when traffic is initiated from the internal server. The configuration is modified as follows:
nat server 18 protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp no-reverse
nat server 19 protocol tcp global 220.248.x2.y2 ftp inside 10.72.90.15 ftp no-reverse


2. Configure a NAT server for the trust zone.

NAT server for the dx and lt zones have been configured. To allow users on the intranet to access the public address mapped to the internal server, NAT server configuration must be added for the trust zone as follows:
nat server 20 zone trust protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp
nat server 18 zone dx protocol tcp global 117.40.x1.y1  ftp inside 10.72.90.15 ftp
nat server 19 zone lt protocol tcp global 220.248.x2.y2 ftp inside 10.72.90.15 ftp
Then start FTP and display the sessions on the firewall:
    ftp VPN: public -> public 
   Zone: trust-> trust TTL: 00:02:00  Left: 00:01:59
    Interface: G0/0/2  Nexthop: 192.168.201.2  MAC: 00-00-00-00-00-00
    <-- packets:11 bytes:2564   --> packets:21 bytes:3564
    192.168.12.24:4236[1.1.1.1:32814]--> 117.40.x1.y1:23[10.72.90.15:23]
Root Cause
The zone-based NAT server configuration was incorrect. Zone-based NAT server must be configured according to the following principles:

1. For users on a public network to match a zone-based NAT server entry, the users must belong to the zone.

2. To allow users from the intranet to access the public address mapped to the internal server, the source address of the traffic must also be translated. If the no-reverse option is selected, the source address will not be translated.

Suggestions
1. Understand the configuration of the zone-based NAT server.

2. Understand the functions of intrazone NAT.

3. Intrazone NAT combined with NAT server is a typical application of bidirectional NAT.

END