No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
An External User Cannot Access an Internal Server After the Firewall or NAT Server Is Configured

An External User Cannot Access an Internal Server After the Firewall or NAT Server Is Configured

This section provides a case that an external user cannot access an internal server after the firewall or NAT server is configured.

Networking

Fault Symptom

After the firewall is configured on the AR, external users cannot access internal server. After the firewall service is deleted, the fault is rectified.

The configuration file is as follows:

#
acl number 2001
rule 0 permit source 10.0.1.0 0.0.0.255
rule 1 permit source 10.0.2.0 0.0.0.255
rule 2 permit source 10.0.3.0 0.0.0.255
rule 3 permit source 10.0.0.0 0.0.0.255
rule 4 permit source 10.0.30.0 0.0.0.255
rule 5 deny
#
acl number 3102
rule 5 permit tcp destination 10.0.0.13 0
rule 45 deny ip
firewall zone untrust
 priority 1
firewall interzone trust untrust
 firewall enable
 packet-filter 3102 inbound
interface Vlanif30
ip address 10.0.30.1 255.255.255.0
zone trust
#
interface Ethernet0/0/4
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/1
 ip address 209.29.234.51 255.255.255.248
 nat server protocol tcp global current-interface 9010 inside 10.0.0.231 9010
 nat server protocol tcp global current-interface 9012 inside 10.0.0.232 9012
 nat server protocol tcp global current-interface 9014 inside 10.0.0.233 9014
 nat server protocol tcp global current-interface 9016 inside 10.0.0.234 9016
 nat server protocol tcp global current-interface 4899 inside 10.0.0.50 4899
 nat server protocol tcp global current-interface 5430 inside 10.0.0.36 5430
 nat server protocol tcp global current-interface 8081 inside 10.0.0.94 8081
 nat server global 209.29.234.51 inside 10.0.0.13
 nat outbound 2001
 zone untrust

Fault Analysis

Eth0/0/4 connects to the internal server, GE0/0/1 connects to the Internet, and the firewall service is configured.

Packets from the external network are processed using the firewall and NAT processes in sequence. When an external users access an internal server (for example, internal server that has IP address 10.0.0.13 and uses public network address 209.29.234.51), the ACL rule of the firewall service should match public network address 209.29.234.51. After the configuration is modified, the fault is rectified.

The modified configuration as follows:

acl number 3102
rule 5 permit tcp destination 209.29.234.51 0

Suggestion

Be familiar with service processes and ensure that the ACL rule matches the correct address.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 447554

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next