The users network structure:
Intranet the ----- Eudemon (184.108.40.206/28) public network ----220.127.116.11/27
The Eudemon public network interface address 18.104.22.168/28, 22.214.171.124 ban ping
Intranet users access 126.96.36.199 1111 port through nat, it can not connect successfully. The intranet users nat Internet normal
Telnet 188.8.131.52 1111 in Eudemon device directly, it can not connect
Configure Public network address on pc, it can visit 184.108.40.206 1111 port.
other firewall customers previously used is no problem, it can connect successfully.
1. The public network address 220.127.116.11/28 all mapped to an address of the internal network, but it can not successfully access 18.104.22.168 1111 port.
2. Try to modify 22.214.171.124 mask to 27 bit which is same with 126.96.36.199, connection is successful after a short period of time the, but then interrupted, it can no longer connect successfully
3. View on the firewall session, there was session visiting 188.8.131.52
4. View debugg information on the firewall:
It can see that 184.108.40.206 request directly for ARP, the device think it is in the same network segments, our mask is 28 bit, that is in the different network segments with this IP, it will not response ARP request. The peer side can not learn ARP requests, causing barrier. In normal circumstances, the peer device should request the gateway arp information.
27 mask instead, our equipment will send gratuitous ARP, so the peer side appear a short pass, the ARP aging, etc., once again appear unreasonable.
5. Eudemon 100E 220.127.116.11 mask changed to 24 that solve the problem, it doubts that 18.104.22.168 mask setting is probloematic, it is recommended that the user to confirm the peer side address mask setting.
1. Peer device configuration issues
2. E100E firewall policy issues