The users network structure:
Intranet the ----- Eudemon (220.127.116.11/28) public network ----18.104.22.168/27
The Eudemon public network interface address 22.214.171.124/28, 126.96.36.199 ban ping
Intranet users access 188.8.131.52 1111 port through nat, it can not connect successfully. The intranet users nat Internet normal
Telnet 184.108.40.206 1111 in Eudemon device directly, it can not connect
Configure Public network address on pc, it can visit 220.127.116.11 1111 port.
other firewall customers previously used is no problem, it can connect successfully.
1. The public network address 18.104.22.168/28 all mapped to an address of the internal network, but it can not successfully access 22.214.171.124 1111 port.
2. Try to modify 126.96.36.199 mask to 27 bit which is same with 188.8.131.52, connection is successful after a short period of time the, but then interrupted, it can no longer connect successfully
3. View on the firewall session, there was session visiting 184.108.40.206
4. View debugg information on the firewall:
It can see that 220.127.116.11 request directly for ARP, the device think it is in the same network segments, our mask is 28 bit, that is in the different network segments with this IP, it will not response ARP request. The peer side can not learn ARP requests, causing barrier. In normal circumstances, the peer device should request the gateway arp information.
27 mask instead, our equipment will send gratuitous ARP, so the peer side appear a short pass, the ARP aging, etc., once again appear unreasonable.
5. Eudemon 100E 18.104.22.168 mask changed to 24 that solve the problem, it doubts that 22.214.171.124 mask setting is probloematic, it is recommended that the user to confirm the peer side address mask setting.
1. Peer device configuration issues
2. E100E firewall policy issues