Extranet Hosts Fail to Access Intranet Servers (NAT Static Failure)
Symptom
This fault is commonly caused by one of the following:
- The NAT static function is configured on an incorrect interface such as an unrelated interface. NAT static must be configured on the NAT device's outbound interface connected to the extranet, that is, the inbound interface for an extranet host to access the intranet.
- The NAT static configuration is incorrect. For example, the public and private IP addresses of internal servers are incorrect, or the configured private port is not enabled on the intranet server.
Procedure
- Check whether services on the intranet server are running properly.
If the extranet host cannot use the service (such as HTTP server or FTP server) provided by the intranet server, check whether the service is enabled on the intranet server. You can use an intranet host to access the intranet server. If the access succeeds, the service is running properly on the intranet server.
- If services are not enabled on the intranet server, enable the services.
- If services on the internal server are running properly but the fault persists, go to step 2.
- Check whether the NAT static configuration is correct.
Run the display nat static on the NAT device to check whether NAT static is configured on the correct interface and whether the protocol type, interface number, and IP address are correctly configured.
[Huawei] display nat static Static Nat Information: Interface : GigabitEthernet1/0/0 Global IP/Port : 1.1.1.1/1~2 Inside IP/Port : 10.2.2.2~10.2.2.3/2 Protocol : 6(tcp) VPN instance-name : ---- Acl number : ---- Vrrp id : ---- Netmask : 255.255.255.255 Description : ---- Total : 1Ensure that the mapped private IP address and port number are correct. When data packets of some services such as FTP and TFTP are transmitted, several interfaces (some of them are randomly generated) may be used. Therefore, when configuring NAT static for providing such services, cancel the limitation on the interfaces so that the intranet server can provide services normally.
- If the NAT static configuration is incorrect, reconfigure NAT static.
- If the NAT static configuration is correct but the fault persists, go to step 3.
- Check the connectivity between the extranet host and NAT device and the configurations of the connected interfaces.
Check whether the IP address of the NAT device's interface connected to the external network is correct and whether the public IP address in the NAT static configuration is correct, for example, whether IP address conflicts exist. Ping the NAT device's interface connected to the external network from an extranet host. Ensure that the extranet host and the NAT device are reachable to each other.
- If the extranet host cannot connect to the NAT device, check the connection.
- If the external host can connect to the NAT device but the fault persists, go to step 4.
- Check the gateway or route configuration of the intranet server.
Check whether the intranet server is configured with the correct route or gateway address so that packets destined for the extranet host can be sent to the gateway.
- If the gateway address or route on the intranet server is incorrectly configured, reconfigure it.
- If the gateway address or route on the intranet server is correctly configured but the fault persists, contact technical support personnel.