Due to configured NAT Server’s double export leads to users access to internal server address restricted

Publication Date:  2012-10-24 Views:  225 Downloads:  0
Issue Description
As shown, many companies have two ISP export, such as telecom and China netcom. Within the company deployed internal server for the external network users accessing. It demands the internal server’s private network address 10.1.1.1 respectively configures two NAT Server in the firewall according to the telecommunications users and netcom users, for different users access to, namely NAT Server double export function.
After the configuration has been completed, found the telecommunications users can through the public network address 2.2.2.2 visit internal server, netcom users can also through the public network address 3.3.3.3 visit internal server, but netcom users cannot access telecommunication public network server address 2.2.2.2, telecom user cannot access netcom public network server address 3.3.3.3 either.
Alarm Information
None.
Handling Process
In the process of configuring NAT Server double export, usually uses the following two ways:
1, Configuring based on different safety area, respectively designating the telecommunications users and netcom users into different safety area to provide different public IP address.
Under this mode, internal server active accesses external network based on different security region to choose corresponding reverse table do address mapping.
[sysname] nat server zone zone1 global 2.2.2.2 inside 10.1.1.1
[sysname] nat server zone zone2 global 3.3.3.3 inside 10.1.1.1
Zone1 is corresponded the safety area of telecom users; Zone2 is corresponded the safety area of netcom users.
2, configure no-reverse parameters, cancel to establish the reverse table.
Under this mode, usually do not allow internal server active accesses to the external network, if internal server need to access the external network, should according to this server additional configure the NAT function based on the source IP address.
[sysname] nat server global 2.2.2.2 inside 10.1.1.1 no-reverse
[sysname] nat server global 3.3.3.3 inside 10.1.1.1 no-reverse
After complete the above configuration, the telecommunications users can through the 2.2.2.2 address access internal server, netcom users can through the 3.3.3.3 address access internal server.
When the telecom user access netcom server’s address 3.3.3.3, message arrived, according to positive map convert the 3.3.3.3 to 10.1.1.1, and send the message to the internal server; After the internal server’s reply message arrived, hit session table, through searching routing, found it is to be sent to the telecom user's message, the message will be send out directly from the near telecom user namely message arrived from netcom user interface, but was sent out from the telecom user interface.
At this point, if there are other firewall equipments between the telecom users, and the firewall configured the link state detection function, to the return path does not consistent message, not allowed to pass, and finally lead to message discarded.
Root Cause
Usually when the internal server uses public network address provides access, we are through configuring global NAT Server to achieve. Every time after configured a NAT Server will generate two global map, one is positive map, which is used for the external network users access to the internal server’s address conversion mapping; The other is the inverse mapping table, which is used for internal server active access the network address mapping.
When internal server’s one personal network IP address is mapped into two public IP address, will establish two inverse mapping table, under this kind of circumstance when internal server active accesses to the external network, there will be two mapping relationship, this is not allowed.
Suggestions
Configure NAT Server double exports main function is to realize the external network users visit nearby, suggest netcom users through netcom's public IP address access internal server, telecom user through the telecommunication public IP address access internal server, so as to achieve rapid access, try to avoid cross access, so as not to affect the normal business.

END