An External User Cannot Access an Internal Server After the Firewall or NAT Server Is Configured

Publication Date:  2015-04-01 Views:  358 Downloads:  0
Issue Description
Networking:




Fault Symptom:


After the firewall is configured on the AR, external users cannot access internal server. After the firewall service is deleted, the fault is rectified.

The configuration file is as follows:

#acl number 2001
rule 0 permit source 10.0.1.0 0.0.0.255
rule 1 permit source 10.0.2.0 0.0.0.255
rule 2 permit source 10.0.3.0 0.0.0.255
rule 3 permit source 10.0.0.0 0.0.0.255
rule 4 permit source 10.0.30.0 0.0.0.255
rule 5 deny
#
acl number 3102
rule 5 permit tcp destination 10.0.0.13 0
rule 45 deny ip
firewall zone untrust
priority 1
firewall interzone trust untrust
firewall enable
packet-filter 3102 inbound
interface Vlanif30
ip address 10.0.30.1 255.255.255.0
zone trust
#
interface Ethernet0/0/4
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/1
ip address 209.29.234.51 255.255.255.248
nat server protocol tcp global current-interface 9010 inside 10.0.0.231 9010
nat server protocol tcp global current-interface 9012 inside 10.0.0.232 9012
nat server protocol tcp global current-interface 9014 inside 10.0.0.233 9014
nat server protocol tcp global current-interface 9016 inside 10.0.0.234 9016
nat server protocol tcp global current-interface 4899 inside 10.0.0.50 4899
nat server protocol tcp global current-interface 5430 inside 10.0.0.36 5430
nat server protocol tcp global current-interface 8081 inside 10.0.0.94 8081
nat server global 209.29.234.51 inside 10.0.0.13
nat outbound 2001
zone untrust
Handling Process
Eth0/0/4 connects to the internal server, GE0/0/1 connects to the Internet, and the firewall service is configured.

Packets from the external network are processed using the firewall and NAT processes in sequence. When an external users access an internal server (for example, internal server that has IP address 10.0.0.13 and uses public network address 209.29.234.51), the ACL rule of the firewall service should match public network address 209.29.234.51. After the configuration is modified, the fault is rectified.

The modified configuration as follows:
acl number 3102
rule 5 permit tcp destination 209.29.234.51 0
Suggestions
Be familiar with service processes and ensure that the ACL rule matches the correct address.

END