No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting NAT

Troubleshooting NAT

Intranet users Fail to Access Public Networks

Fault Description
This fault is commonly caused by one of the following:
  • Outbound NAT is not properly configured on the outbound interface connected to the public network.
  • The configuration of the ACL bound to outbound NAT is incorrect.

Procedure

  1. Check whether packets are received on of device.

    Run the display interface interface-type interface-number command on the device to display the value of the Input field.

    • If the value of the Input field is 0, the device does not receive any packets. Check the interface configuration to ensure that the interface can receive packets.
    • If the value of the Input field is not 0, go to step 2.

  2. Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass through.

    Run the display nat outbound command on the device to check whether outbound NAT is correctly configured.

    [Huawei]display nat outbound 
      NAT Outbound Information:
     ---------------------------------------------------------------------------
     Interface                     Acl      Address-group/IP/Interface      Type
     ---------------------------------------------------------------------------
     Vlanif100                    2000                              1    no-pat  
    ---------------------------------------------------------------------------
      Total : 1                                                                
    

    The preceding information indicates that ACL 2000 is bound to outbound NAT on Vlanif100.

    Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be transmitted correctly.

    Run the display acl 2000 command to check the configuration of outbound NAT bound to ACL 2000.
    [Huawei] display acl 2000 
    Basic ACL2000, 1 rule 
    Acl's step is 5 
    rule 5 permit source 192.168.1.100 0 
    

    The rule of ACL 2000 matches packets with the source address 192.168.1.100.

    • If the ACL rule is configured incorrectly, reconfigure the ACL rule.
    • If the ACL rule is configured correctly but the fault persists, go to step 3.

  3. Check that the address pool configuration is correct.

    Run the display nat address-group command on the device to check whether the address pool bound to outbound NAT on the outbound interface is correct.
    [Huawei] display nat address-group 1 
    NAT Address-Group Information: 
    -------------------------------------- 
    Index   Start-address      End-address 
    -------------------------------------- 
    1       10.0.0.100         10.0.0.110 
    -------------------------------------- 
    Total : 1     
    
    
    To check Easy IP information on the outbound port, run the display nat outbound command on the device. For example:
    [Huawei] display nat outbound 
     NAT Outbound Information: 
     -------------------------------------------------------------------------- 
     Interface                    Acl      Address-group/IP/Interface      Type 
     -------------------------------------------------------------------------- 
     Vlanif200                    2000                     30.30.30.1    easyip
     -------------------------------------------------------------------------- 
      Total : 1        
    
    The preceding information indicates that Easy IP is configured on Vlanif200 and the address pool 30.30.30.1 bound to the interface is the address pool advertised on the interface. If NAT is disabled, you perform the following steps:
    • If the bound IP address is the interface address, ensure that the interface address is valid.

External Hosts Fail to Access Internal Servers

Fault Description

This fault is commonly caused by one of the following:

  • The NAT server is configured on an incorrect interface such as an outbound port or other irrelated interfaces. The NAT server must be configured on the inbound interface of an external host that connects to the internal network.
  • The NAT server configuration is incorrect. For example, the corresponding public and private IP addresses of internal servers are incorrect, and private ports and enabled ports of internal servers are different.

Procedure

  1. Check whether services on the internal NAT server are running properly.

    When the external network cannot access the internal NAT server, check whether services such as HTTP server and FTP server are enabled on the internal NAT server. Access the internal NAT server from an internal host to check whether the services are running properly.

    • If services on the internal NAT server are not running properly, enable the services.
    • If services on the internal NAT server are running properly but the fault persists, go to step 2.

  2. Check that the NAT server is configured correctly.

    Run the display nat server command on the device to check that the NAT server is configured on the correct NAT interface and the correct protocol type, interface number, and IP address are configured.

    [Huawei] display nat server 
      Nat Server Information:                                                       
      Interface  : Vlanif100                                             
        Global IP/Port     : 202.10.1.3/80 (www)                                  
        Inside IP/Port     : 192.168.0.100/8080                                      
        Protocol : 6(tcp)                                                         
        VPN instance-name  : ---- 
        Acl number         : ----                                                  
        Vrrp id            : ----                                                   
        Description : ----
      Total :    1  
    

    Ensure that the mapped internal address and interface are correct. When some services such as FTP and TFTP transmit data packets, several interfaces (some of them are randomly generated) are used. Therefore, to configure the NAT server providing such services, cancel the limitation on the ports so that the internal server can provide services normally.

    • If the NAT server is configured incorrectly, reconfigure the NAT server.
    • If the NAT server is configured correctly but the fault persists, go to step 3.

  3. Check the connection between the external host and NAT server and the configurations of the connected ports.

    Check that the IP address of the outbound interface on the NAT server is correct and the external IP address of the NAT server is correct. The IP addresses cannot conflict with the addresses on other network segments. Ping the external interface of the NAT server on an external host. Ensure that the external host can ping the NAT server successfully.

    • If the external host cannot connect to the NAT server, check the connection.
    • If the external host and NAT server are connected correctly but the fault persists, go to step 4.

  4. Check that the internal NAT server is configured with the correct gateway address or route.

    The internal NAT server must be configured with the correct route or gateway address so that packets destined for the external host can be sent to the gateway.

    • If the gateway address or route on the internal NAT server is configured incorrectly, reconfigure it.
    • If the gateway address or route on the internal NAT server is configured correctly but the fault persists, contact technical support personnel.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 115771

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next