External Network Users Cannot Access Internal Servers After the NAT Server Is Configured

Publication Date:  2015-04-01 Views:  420 Downloads:  0
Issue Description
Networking:




Fault Symptom:


The internal servers are required to provide Telnet and web services to external network users. The configuration is as follows:

interface GigabitEthernet0/0/1 ip address 202.1.1.1 255.255.255.0 nat server protocol tcp global current-interface telnet inside 1.1.1.2 telnet nat server protocol tcp global current-interface www inside 1.1.1.2 www

After the NAT server is configured, public network users cannot use Telnet to access the AR through the public network address 202.1.1.1:23 or use the web mode to access the AR through the public network address 202.1.1.1:80.
Handling Process
The configuration shows that well-known port numbers are used to provide services for external network users. The NAT server is unavailable because the carrier has disabled the two well-known port numbers on the Internet. Change the external port numbers to non-well-known port numbers as follows:

interface GigabitEthernet0/0/1 ip address 202.1.1.1 255.255.255.0 nat server protocol tcp global current-interface 1334 inside 1.1.1.2 telnet nat server protocol tcp global current-interface 1335 inside 1.1.1.2 www
Suggestions
When you configure the specified external port numbers of the NAT server, if the carrier has disabled the port numbers, the NAT server is unavailable. Therefore, you are advised to use non-well-known port numbers as external port numbers when you configure the NAT server.

The troubleshooting procedure for a failure to make the NAT server function take effect is as follows:

Use the display nat session all command to check whether NAT entries exist.
  • If no entry is found, check whether the mapped public IP addresses can be used and the external port numbers are disabled.
  • If entries are found, check whether there are error statistics and obtain packets on interfaces and analyze them.

END