Internal Host Cannot Access the External FTP Server

Publication Date:  2012-07-27 Views:  160 Downloads:  0
Issue Description

As shown in Figure 11-6, the USG is configured with NAT Outbound. Therefore, users on internal network segment 10.2.1.0/24 can access the external network. ACL 3000 ensures that only internal users on network segment 10.2.1.0/24 can access the external network.

After the preceding configurations are complete, the PC with IP address 10.2.1.2 cannot access the FTP server with external IP address 202.99.8.75.

Figure 11-6  NAT Outbound troubleshooting case
 
Alarm Information
None.
Handling Process
  1. Check whether the internal PC can ping through internal interface 10.2.1.1 of the NAT gateway. If the internal PC cannot ping through the internal interface of the NAT gateway but the NAT gateway can ping through external server 202.99.8.75, the route on the PC may be set incorrectly.

    After the route is correctly set on the PC, the PC can ping through 10.2.1.1 but still cannot access the FTP server normally. In this case, proceed to 2.

  2. Run the display firewall session table command to view NAT session information. If no session information is created, proceed to 3.
  3. In the system view, run the display acl 3000 command to check ACL configurations. Run the undo rule 5 command to modify the ACL configurations and configure rule 5 permit ip source 10.2.1.0 0.0.0.255.
  4. Run the display firewall session table command again to view NAT session information.
  5. Run the detect ftp command to enable the FTP ALG function.
Root Cause

The internal PC cannot ping through internal interface 10.2.1.1 of the NAT gateway but the NAT gateway can ping through external server 202.99.8.75. Therefore, the route on the PC may be set incorrectly.

After the route is correctly set on the PC, the PC can ping through 10.2.1.1 but still cannot access the FTP server normally. After checking the session information at the NAT gateway, you can find that no session is created.

Check the ACL configuration and you can find that ACL 3000 is configured as follows:

rule 5 permit ip source 10.1.1.0 0.0.0.255

The preceding display shows the configuration is incorrect. Modify it as follows:

rule 5 permit ip source 10.2.1.0 0.0.0.255

Continue to use the PC to access the FTP server. The control connection can be set up normally but the data cannot be transferred.

From the session information on NAT, only one session is from the internal PC to FTP server port 21 and no data connection session is set up.

Enable the FTP ALG function and attempt to access the external FTP server from the internal PC. Everything is normal and the packets can be transferred.

Suggestions
After the preceding operations are complete, the internal PC can access the external FTP server and transfer packets normally. The fault is rectified.
 

Through this case, you can conclude the following:

  • ACL configurations determine whether packets can pass through the NAT gateway. Problems may easily occur in the configurations.
  • It is easy to forget to configure the route on the internal PC.
  • In NAT Outbound mode, the FTP protocol needs to enable the FTP ALG function. Otherwise, data may be transferred incorrectly.

END