Unable to Tracert Global Address of the NAT Server

Publication Date:  2013-05-02 Views:  183 Downloads:  0
Issue Description
NAT Server is configured on the firewall to map one server on the intranet. On the PC, the global address of NAT server on the firewall can be pinged through, but cannot be tracerted. The result shows an unreachable destination.
Router---Firewall---Cloud---PC.
Alarm Information
None
Handling Process
1. Results of running the ping command are normal, which indicates that routes and packet filtering are normal. When the ping command is used, the result shows that the session table on the firewall is normal and the global address has been translated into the intranet address. When the tracert command is used, the result does not show any session table information.
2. Capture packets on the client. The result shows that the firewall sends a destination unreachable packet as a reply. However, the cause cannot be located. In a normal case, TTL may expire.
3. On the firewall, open debugging information. The result shows that on the data plane, the firewall is going to send the TTL expiration packet.
4. The TTL expiration packet should be sent during data plane handling. When the original packet is sent to the VRP, the destination address is the global address. When the route is searched for on the VRP, the route cannot be found because on the live network, the route to this address is not configured. Therefore, a route unreachable packet is replied. On the live network, if a default route is configured, on the VRP, the TTL expiration packet is going to be sent. In other words, the TTL expiration packet can be properly sent.
Root Cause
The TTL expiration packet should be sent during data plane handling. When the original packet is sent to the VRP, the destination NAT is not carried out. As a result, the destination address is the global address. When the route is searched for on the VRP, the route cannot be found because on the live network, the route to this address is not configured. Therefore, a TTL expiration packet is replied. On the live network, if a default route (the route to the global address) is configured, on the VRP, the TTL expiration packet is going to be sent. In other words, the TTL expiration packet can be properly sent.
Suggestions
According to networking, add a route to the global address.

END