Intranet Users Fail to Access Public Networks
Fault Description
- Outbound NAT is not properly configured on the outbound interface connected to the public network.
- The configuration of the ACL bound to outbound NAT is incorrect.
Procedure
- Check whether packets are received on interfaces of the device.
Run the display interface interface-type interface-number command on the device to display the value of the Input field.
- If the value of the Input field is 0, the device does not receive any packets. Check the interface configuration to ensure that the interface can receive packets.
- If the value of the Input field is not 0, go to step 2.
The device supports GE, FE, Eth-Trunk, and sub-interfaces. If an Eth-Trunk sub-interface is used, run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk sub-interface receives packets.
- Check whether the ACL rule bound to outbound NAT allows NAT service packets to pass through.
Run the display nat outbound command on the device to check whether outbound NAT is correctly configured.
[Huawei]display nat outbound NAT Outbound Information: --------------------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type --------------------------------------------------------------------------- GigabitEthernet0/0/0 2000 1 no-pat --------------------------------------------------------------------------- Total : 1The preceding information indicates that ACL 2000 is bound to outbound NAT on GigabitEthernet0/0/0.
Check whether the rule of ACL 2000 is configured correctly. If the IP address, interface number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be transmitted correctly.
Run the display acl 2000 command to check the configuration of outbound NAT bound to ACL 2000.[Huawei] display acl 2000 Basic ACL2000, 1 rule Acl's step is 5 rule 5 permit source 192.168.1.100 0The rule of ACL 2000 matches packets with the source address 192.168.1.100.
- If the ACL rule is configured incorrectly, reconfigure the ACL rule.
- If the ACL rule is configured correctly but the fault persists, go to step 3.
- Check that the address pool configuration is correct.Run the display nat address-group command on the device to check whether the address pool bound to outbound NAT on the outbound interface is correct.
[Huawei] display nat address-group 1 NAT Address-Group Information: -------------------------------------- Index Start-address End-address -------------------------------------- 1 10.0.0.100 10.0.0.110 -------------------------------------- Total : 1To check Easy IP information on the outbound port, run the display nat outbound command on the device. For example:[Huawei] display nat outbound NAT Outbound Information: -------------------------------------------------------------------------- Interface Acl Address-group/IP/Interface Type -------------------------------------------------------------------------- GigabitEthernet0/0/1 2000 1.1.1.1 easyip -------------------------------------------------------------------------- Total : 1The preceding information indicates that Easy IP is configured on GigabitEthernet0/0/1 and the address pool 1.1.1.1 bound to the interface is the address pool advertised on the interface. If NAT is disabled, you perform the following steps:- If the bound IP address is the interface address, ensure that the interface address is valid.
