No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Firewall Packet Filtering Configuration Does Not Take Effect Due to Incorrect ACL Configuration on the AR

Firewall Packet Filtering Configuration Does Not Take Effect Due to Incorrect ACL Configuration on the AR

Keywords

ACL, access control policy, NAT, firewall

Abstract

The firewall packet filtering policy on the AR does not take effect due to incorrect ACL parameter configuration.

Problem Description

As shown in Figure 1-1, the router functions as the enterprise egress. The firewall function is configured on the router to control host access from the Internet to the internal server of the enterprise. The NAT function is configured on the router to translate the IP address of the internal server to the public address 1.1.2.2.

Figure 22-17  ACL-based access control

The related configuration file is as follows:

# 
nat static protocol tcp global ip 1.1.2.2 inside ip 10.26.103.70//Configure the one-to-one mapping from the private address 10.26.103.70 to public address 1.1.2.2
# 
acl number 3000//Configure a rule to forbid the PC using the address 1.1.1.1 to send IP packets to 1.1.2.2.
# 
interface Ethernet0/0/1 
ip address 1.1.2.1 255.255.255.224 
# 
firewall enable 
packet-filter 3000 inbound//Perform packet filtering in the inbound direction.

However, the ACL rule does not take effect, and the PC can still access the internal server.

Procedure

The invalid ACL policy is caused by improper firewall configuration or ACL configuration.

  1. Check whether the firewall function is enabled.

    The firewall enable commandexists in the configuration file. Run the display firewall zone command to view the configuration of the specified security zone. The command output shows that the firewall function is enabled; therefore, invalid ACL rule is not caused by the firewall configuration.

  2. Check whether the ACL rule is correct.

    Check the ACL rule. The configuration file of the router shows that the ACL rule forbids the PC to send IP packets to the public IP address 1.1.2.2. However, the NAT function configured on the router to translate the public address to the internal address 10.26.103.70. Therefore, the rule must be configured to forbid the PC to send IP packets to the IP address 10.26.103.70. Modify the ACL rule as follows:

    #
    acl number 3000
    rule 1 deny ip source 1.1.1.1 0 destination 10.26.103.70 0
    rule 2 permit ip
    #

    After the modification, the PC cannot access the internal server.

    Therefore, the firewall packet filtering function does not take effect because the ACL rule is incorrectly configured.

Root Cause

After NAT and the firewall are configured on the AR, the NAT function for incoming packets takes effect before the firewall function. The private address of the internal server that is translated by NAT must be specified as the destination address in the ACL rule. If the public address before the NAT (1.1.2.2) is used as the destination address, the ACL rule is invalid.

Suggestions

When the firewall and NAT functions are configured on the AR simultaneously, pay attention to the sequence in which the functions take effect:

  • In the inbound direction: The NAT function takes effect first.
  • In the outbound direction: The firewall function takes effect first.
Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 452117

Downloads: 4311

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next