It cannot pass Eudemon 100E firewall to visit the public network address port of 1111

Publication Date:  2012-11-27 Views:  171 Downloads:  0
Issue Description
The users network structure:

Intranet the ----- Eudemon (81.8.8.86/28) public network ----81.8.8.18/27
     The Eudemon public network interface address 81.8.8.86/28,  81.8.8.18 ban ping
     Intranet users access 81.8.8.18 1111 port through nat, it can not connect successfully. The intranet users nat Internet normal
     Telnet 81.8.8.18 1111 in Eudemon device directly, it can not connect
   Configure Public network address on pc, it can visit 81.8.8.18 1111 port.
    other firewall customers previously used is no problem, it can connect successfully.
Alarm Information
NULL
Handling Process
1. The public network address 81.8.8.86/28 all mapped to an address of the internal network, but it can not successfully access 61.8.8.18 1111 port.

2. Try to modify 81.8.8.86 mask to 27 bit which is same with 81.8.8.18, connection is successful after a short period of time the, but then interrupted, it can no longer connect successfully

3. View on the firewall session, there was session visiting 81.8.8.18

4. View debugg information on the firewall:

It can see that 81.8.8.18 request directly for ARP, the device think it is in the same network segments, our mask is 28 bit, that is in the different network segments with this IP, it will not response ARP request. The peer side can not learn ARP requests, causing barrier. In normal circumstances, the peer device should request the gateway arp information.

   27 mask instead, our equipment will send gratuitous ARP, so the peer side appear a short pass, the ARP aging, etc., once again appear unreasonable.

5. Eudemon 100E 81.8.8.86 mask changed to 24 that solve the problem, it doubts that 81.8.8.18 mask setting is probloematic, it is recommended that the user to confirm the peer side address mask setting.
Root Cause
1. Peer device configuration issues
2.  E100E firewall policy issues
Suggestions
NULL

END