No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
After PBR Is Configured on an AR2240 Router's Intranet Interface, Intranet Users Cannot Access the Internal Server Using the Server's Public IP Address

After PBR Is Configured on an AR2240 Router's Intranet Interface, Intranet Users Cannot Access the Internal Server Using the Server's Public IP Address

Keywords

AR2240, policy-based routing, public IP address, internal server, access failure

Abstract

After policy-based routing (PBR) is configured on an AR2240 router's interface connecting to the intranet, intranet users cannot access the internal server using the server's public IP address. After the PBR configuration is deleted, intranet users can access the internal server using the public IP address.

Problem Description

When PBR is configured on the AR2240 router's intranet interface GE0/0/0, HostA cannot access the internal server using the server's public IP address 2.2.2.2, and can access the server using the public IP address after the PBR configuration is deleted.

Alarm

Ping the public IP address of the server from HostA. The ping operation fails.

Procedure

  1. Run the display current-configuration command to check the configuration. The command output shows that traffic from intranet users to the public IP address 2.2.2.2 is not redirected in the PBR configuration.

    # 
    acl number 2000
     rule 10 permit source 192.168.0.0 0.0.0.255 
    acl number 2999
     rule 5 permit
    acl number 3001
     rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 2.2.2.2 0 
    # 
    traffic classifier vlan11 operator or
     if-match acl 3001 
    traffic classifier vlan10 operator or
     if-match acl 2000 
    # 
    traffic behavior vlan11 
    traffic behavior vlan10
     redirect ip-nexthop 1.1.1.1 
    # 
    traffic policy vlan10
     classifier vlan11 behavior vlan11
     classifier vlan10 behavior vlan10
    #
    Interface GigabitEthernet0/0/0
     ip address 172.16.100.1 255.255.255.0
     traffic-policy vlan10 inbound
     nat server protocol tcp global interface GigabitEthernet0/0/2 www inside 192.168.0.140 www
    #
    interface GigabitEthernet0/0/2
     description LianTong
     ip address 2.2.2.2 255.255.255.252
     nat server protocol tcp global current-interface www inside 192.168.0.140 www
     nat outbound 2999

  2. Analyze the ping operation from HostA to the server.

    Phase 1: HostA sends data to the server.

    Source                      Destination
    192.168.1.100               2.2.2.2
    192.168.1.100               192.168.0.140//GE0/0/0 translates the public IP address 2.2.2.2 to the private IP address 192.168.0.140 based on the NAT flow table.
    172.16.100.1//GE0/0/0 translates the private IP address 192.168.1.100 to the public IP address 172.16.100.1 based on the NAT flow table.192.168.0.140

    Phase 2: The server sends data to HostA.

    Source                      Destination
    192.168.0.140               172.16.100.1//The traffic does not match ACL 3001 and is redirected.
    192.168.0.140               192.168.1.100 ///GE0/0/0 translates the public IP address 172.16.100.1 to the private IP address 192.168.1.100 based on the NAT flow table.
    2.2.2.2//GE0/0/0 translates the private IP address 192.168.0.140 to the public IP address 2.2.2.2 based on the NAT flow table.192.168.1.100

Root Cause

When the server sends data to HostA, the traffic does not match ACL 3001, but is redirected.

Solution

Configure the router not to redirect traffic from intranet users to the public IP address 172.16.100.1.

acl number 3001
 rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 2.2.2.2 0
 rule 12 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.100.1 0//Add a matching rule for traffic from intranet users to the public IP address 172.16.100.1.

The fault is rectified after the matching rule is added.

Suggestion

Check the router status and information using commands to locate the fault. Use a correct troubleshooting roadmap, run correct commands, and analyze the corresponding command outputs.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 449442

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next