Due to hasn’t correctly configure “NAT server”, the users in “Trust domain” can’t access DMZ server

Publication Date:  2012-11-27 Views:  357 Downloads:  0
Issue Description
As shown in figure, a USG is deployed in the export of an enterprise, whose internal user belongs to the Trust region and connects the USG through the interface GE0/0/2. The FTP server belongs to the DMZ area, provides FTP server for external and internal network, through the interface GE0/0/1 connects the USG. The interface GE0/0/3 of USG connects with Internet, which belongs to the Untrust area.
Firewall starts NAT function. The relevant configuration is as follows:
[sysname-interzone-trust-untrust] nat outbound 2000 address-group 1
[sysname] nat server global 211.1.1.8 inside 192.168.2.2
Among them, the 211.1.1.8 is the public network IP address of FTP server.
After the configuration has been completed, the users in Trust region can’t access to the private network address 192.168.2.2 of FTP server, can only access to its public network address 211.1.1.8.
Alarm Information
None.
Handling Process
Modify NAT server command, add key word “zone”. Only apply the command between DMZ and Untrust domain.
[sysname] nat server zone untrust global 211.1.1.8 inside 192.168.2.2
Root Cause
When configuring the command NAT server, we hasn’t designated key word “zone”, NAT server command applied between Trust and DMZ domain. Caused the users in Trust area can’t hit session table until they visited public network address.
Suggestions
When configuring “nat server” in the DMZ regional, if you want the users in Trust region to use the private network address access to FTP server, you must configure the key word “zone”.

END