NAT Server service fails on E8000E firewall

Publication Date:  2013-02-16 Views:  287 Downloads:  0
Issue Description
There are two NAT Server commands be implemented on E8160E, which transfer the private ip address of two servers to public ip address. After that, users can access the public ip addresses from internet. But the problem is that users can not access it through internet. Sometimes we can find the corresponding sessions on E8160E, but sometimes can't.
Here are the configurations of NAT Server:
nat server  protocol tcp global 180.194.32.25 16129 inside 10.159.167.68 16129
nat server  protocol tcp global 180.194.32.26 smtp inside 10.159.167.66 22
Alarm Information
N/A
Handling Process
1.We checked the configuration of firewall. It is no problem.
2.We try to access the global ip address of NAT Server from internet, it is failed. At the same time, sometimes we can find the corresponding sessions on E8160E, but sometimes not.
3.We suppose there is no rollback route for the global ip address of NAT Server on the next hop router of firewall. But customer said that there is the same global ip address of NAT Outband on firewall, and the service of this NAT Outband is ok. It can prove that the next hop router has the rollback route.
Here is the configuration of NAT Outband:
nat address-group 33  180.194.32.1 180.194.32.254
4.We suggested customer to change the global ip address of NAT Server, then the service is ok.
Root Cause
Because of NAT ip pool of E8000E series firewall is bind to special CPU, if the ip address of NAT ip pool is the same with interface ip address of firewall or global ip address of NAT Server, it will lead to LPU board chooses the incorrect CPU. The result is NAT service is failed.
Suggestions
Please make sure the ip address of NAT ip pool is not the same with interface ip address of firewall or global ip address of NAT Server on E8000E firewall.

END