Policy-based Routing Does Not Take Effect in Dual-egress Scenarios When NAT Server Is Configured

Publication Date:  2015-12-24 Views:  218 Downloads:  0
Issue Description
NAT Server port mapping is configured on the firewall for providing services to Internet users. A policy-based route is configured to forward the return traffic from the interface (ISP1) with the mapped public address to the Internet. In this case, forward and return traffic can travel through the same path. A default route to ISP2 is configured, so that intranet users access the Internet over ISP2 network, but they fail to access the intranet server from the Internet.

Handling Process
Step 1  The fault might be caused by incorrect NAT Server port configuration. Then the customer is suggested to configure full mapping for a test, but the access still fails. Then the customer displays the session table on the firewall and finds that the firewall does forward the packets but does not have any return session. Check the policy-based route. It is found that the source in the ACL contains the server IP address, and the next hop of the policy-based route is the outbound interface of the firewall (Apply output-interface XXX).

Step 2  The fault might also be caused if the carrier does not enable the proxy ARP function on the remote device. Therefore, the policy-based route is changed to apply ip-address next-hop XXXX (interface address of the peer device of the carrier). Then the fault is rectified.
Root Cause
Incorrect policy-based route configuration causes this fault, for example:

Policy-based-route abc permit nod 0
If-match acl XXXX
Apply output-interface XXX

The preceding configuration shows that, the next hop of the policy-based route is the outbound interface. As a result, the firewall considers that the remote destination network is directly connected to itself. For example, to access IP address, the firewall sends an ARP packet to request for the MAC address corresponding to IP address from this outbound interface. If the proxy ARP function has been configured on the peer device of the firewall, the peer device will respond to the request with the MAC address of the interface directly connected to the firewall enclosed. This scenario is usually applied to carriers' broadband access services, and the proxy ARP function is enabled on the Bras device. Therefore, the next hop of the default routes to broadband users is set to the dialer interface. If the proxy ARP function is disabled on the peer device and the next hop is set to the outbound interface, the network failure will occur.
When configuring a static route or policy-based route, set the next hop to the IP address of the peer device, not to the outbound interface, except the dial-up scenario, because if the proxy ARP function is not enabled on the peer device, the network will not be connected.