USG5500 for port mapping,cannot access owing to exist various extranet export

Publication Date:  2012-09-26 Views:  197 Downloads:  0
Issue Description
Customer configuration are as follows:
nat server 0 global 58.18.168.164 inside 222.31.224.197
nat server 1 protocol tcp global 58.18.168.165 www inside 222.31.224.205 www
nat server 2 zone untrust global 58.18.168.163 inside 222.31.236.62
nat server 3 zone trust global 58.18.168.163 inside 222.31.236.62

ospf 1
default-route-advertise always
area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 192.168.0.0 0.0.0.3
  network 192.168.20.0 0.0.0.3

we can access server in intranet,but can not in extranet,run OSPF routing in intranet,but diverted default route. In firewall can ping server,access from extranet,exist dialog in firewall,check double dialog,there are have inside packages,but no outside packages

[USG5500-hidecmd]dis firewall session table verbose_hide both-direction source global 218.17.155.9
20:35:20  2011/09/19
Current Total Sessions : 1
  http  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/1  NextHop: 192.168.0.2  MAC: 00-e0-fc-3b-98-5b
  <--packets:0 bytes:0   -->packets:2 bytes:96
  218.17.155.9:43973-->58.18.168.164:80[222.31.224.197:80]

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/0  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  222.31.224.197:80[58.18.168.164:80]-->218.17.155.9:43973

Through these command can know there are exist inside packages,but no outside packages
Alarm Information
none
Handling Process
Positing fault already,due to access enter through firewall,but go out through education network,so result not access,at this time,in precondition of not change networking,can do inbound direct nat solved,because by that extranet address changed to address of pool address,  equal to in a same local,so server return package will not go to education network
configuration:
nat-policy interzone trust untrust inbound
policy 0
  action source-nat                     
  address-group 1
results confirmation:
[USG5500-hidecmd]dis firewall session table destination global  58.18.168.164 destination-port 80
13:08:08  2011/09/23
Current Total Sessions : 16
  59.36.129.90:53727[58.18.168.163:12357]-->58.18.168.164:80[222.31.224.197:80]
59.36.129.90:52444[58.18.168.163:12261]-->58.18.168.164:80[222.31.224.197:80]
59.36.129.90:53254[58.18.168.163:12324]-->58.18.168.164:80[222.31.224.197:80]

Root Cause
1 at beginning consider is ospf fault,but in configuration have been report default route to ospf route
default-route-advertise always
2 firewall can ping,and can access intranet,no fault in mapping,we found 58.18.168.164 inside 222.31.224.197
This mapping are both public network address,ask customer,server is education network address,there is a export in education network
Suggestions
When port mapping unsuccessful,we check no fault in confirmation,at this time can ask inside of customer if have other exports,exclude this possibility

END