Due to packet filtering configuration errors, the external network can’t access internal network server

Publication Date:  2012-11-26 Views:  223 Downloads:  0
Issue Description
Firewall as NAT equipment is deployed between the DMZ area and Untrust area, through configure NAT Server in the firewall, the FTP server in DMZ area provides FTP service function for external network users. In practical applications, happened the fault phenomenon that the Untrust area users cannot access the FTP server.
Alarm Information
None.
Handling Process
Step 1:     execute command “display firewall server-map”,check whether the “Server-map” entry has been established.
[sysname] display firewall server-map
Nat Server: ANY -> 200.1.1.10[10.1.1.1], Zone: ---                              
Protocol: any(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---             
Vpn: public -> public                                                          
                                                                               
Nat Server Reverse: 10.1.1.1[200.1.1.10] -> ANY, Zone: ---                      
Protocol: any(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---             
Vpn: public -> public 
10.1.1.1 is the Inside address of FTP server.
200.1.1.10 is the Global address of FTP server.
Each effective NAT Server will set up static Server-map entry. Through execute this order, display that the Server-map entry has been established and the parameters of the entry are correct, namely the NAT Server related configuration is successful.
Step 2: executive command “displayinterzone [ zone-name1zone-name2 ]”, check the configuration information of the inter-domain.
[sysname] display interzone dmz untrust                                  
#                                                                              
firewall interzone dmz untrust                                               
packet-filter 3010 inbound                                                     
detect ftp                                                                    
#
detect ftp denotes the inter-domain has configured NAT ALG function.
3010 denotes that the ACL applied in inter-domain packet filtering is 3010.
Inbound means from the low level security region to the high level security area, namely the direction from Untrust to DMZ.
Step 3: executive command “displayaclacl-number”, check ACL related configurations.
[sysname] display acl 3010                                      
Advanced ACL  3010, 1 rule,not binding with vpn-instance                        
Acl's step is 5                                                                
rule 0 permit ip destination 200.1.1.10 0
Before the message arrived, it will check NAT Server at first, and then check the ACL rules of packet filtering, so when configuring the packet filtering, the IP address involved by ACL should be the Inside address of the converted FTP server, which is 10.1.1.1.
Step 4: modify the destination IP address of ACL 3010, authenticate again, the fault is solved.
Root Cause
Reason 1: NAT Server parameter configured error.
Reason 2: the packet filter does not allow message through.
Reason 3: for multichannel protocol, hasn’t configure NAT ALG.
Reason 4: routing is inaccessible.
Suggestions
When NAT Server and packet filtering are fit to use, if the ACL rules in packet filtering need to specify the IP address of NAT Server, the address should be set to the Inside address of NAT Server.

END