No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
NetEngine AR V300R019 CLI-based Configuration Guide - IP Service
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Internal Hosts with an Overlapped IP Address Fail to Access External Servers

Internal Hosts with an Overlapped IP Address Fail to Access External Servers

Fault Description

This fault is commonly caused by one of the following:
  • Outbound NAT is incorrectly configured on the outbound port.
  • NAT ALG is disabled for the DNS protocol.
  • The DNS mapping entry is configured incorrectly. For example, the corresponding public address is different from the IP address of an external server.
  • The route between the temporary address pool and the outbound interface is not configured.

Procedure

  1. Check that outbound NAT is configured correctly.

    Run the display nat outbound command on the device to check whether outbound NAT is configured correctly.
    [Huawei]display  nat outbound 
 NAT Outbound Information: 
 --------------------------------------------------------------------------- 
 Interface                     Acl      Address-group/IP/Interface      Type 
 --------------------------------------------------------------------------- 
 GigabitEthernet0/0/1         3180                               1       pat 
 --------------------------------------------------------------------------- 
  Total : 1
    The preceding information indicates that ACL 3180 is bound to outbound NAT and the address pool index is 1. Check that outbound NAT references a correct address pool. When configuring an address pool, ensure that the destination address on the external network is different from any address in the address pool. Run the display nat address-group command to check the configuration of the address pool.
    [Huawei]display nat address-group 1 
NAT Address-Group Information: 
-------------------------------------- 
Index   Start-address      End-address 
-------------------------------------- 
1       1.1.1.1            1.1.1.10 
-------------------------------------- 
Total : 1

    Check that ACL rules bound to outbound NAT are correct. Generally, incorrect addresses, protocol types, or interface numbers are defined in ACL rules. When an ACL problem occurs, packets on the internal network cannot be sent out or packets on the external network cannot be sent to the internal network.

    Run the display acl 3180 command to check the ACL bound to outbound NAT.
    [Huawei]display acl 3180
Advanced ACL 3180, 1 rule 
Acl's step is 5 
rule 5 permit tcp source 10.10.10.1 0

    An ACL strictly controls the permitted address segments, protocols, and ports based on the networking requirements. If certain protocol packets are rejected by the NAT gateway, check whether the packets of this protocol are permitted by the ACL.

    • If outbound NAT is configured incorrectly, correct the configuration.
    • If outbound NAT is configured correctly but the fault persists, go to step 2.

  2. Check that the DNS mapping entry is configured correctly.

    Run the display nat dns-map command on the device to check whether the NAT server is configured on the correct NAT interface and check whether the protocol type, interface number, and IP address are correctly configured.

    [Huawei]display nat dns-map 
  NAT DNS mapping information:
  Domain-name : test1
  Global IP   : 10.1.1.1
  Global port : 2012
  Protocol    : tcp

  Total : 1
    • If the DNS mapping entry is configured incorrectly, run the nat dns-map command in the system view to configure a DNS mapping entry correctly.
    • If the DNS mapping entry is configured correctly but the fault persists, go to step 3.

  3. Check that NAT ALG is enabled for the DNS protocol.

    Run the display nat alg command on the device to check whether NAT ALG is enabled for the DNS protocol.
    [Huawei]display nat alg 
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                        
----------------------------------
    • If NAT ALG is disabled for the DNS protocol, run the nat alg command to enable it.
    • If NAT ALG is enabled for the DNS protocol but the fault persists, go to step 4.

  4. Check that the mappings between overlapped address pools and temporary address pools are correct.

    Run the display nat overlap-address command on the device to check whether all the mappings between overlapped address pools and temporary address pools are correct.
    [Huawei]display nat overlap-address all 
Nat Overlap Address Pool To Temp Address Pool Map Information: 
 ----------------------------------------------------------------------
 Id  Overlap-Address  Temp-Address  Pool-Length  Inside-VPN-Instance-Name 
 ----------------------------------------------------------------------
 1   1.1.1.1          20.20.20.20     34 
-----------------------------------------------------------------------
  Total : 1

    The temporary address pool contains available IP addresses on the device. The IP addresses in the address pool cannot conflict with any interface address, VRRP address, or NAT address. In the preceding information, Inside-VPN-Instance-Name specifies the VPN instance to which the internal interface connected to the host belongs.

    • If the mappings are incorrect, reconfigure the mappings.
    • If the mappings are correct but the fault persists, go to step 5.

  5. Check that the route between the temporary address pool and the outbound interface is configured.

    Run the display ip routing-table command on the device to check all the routes on the public network.
    [Huawei]display ip routing-table 
Route Flags: R - relay, D - download to fib 
------------------------------------------------------------------------------ 
Routing Tables: Public 
         Destinations : 2       Routes : 2 
 
Destination/Mask    Proto  Pre  Cost       Flags NextHop         Interface 
 
    10.0.0.0/8     Static   60   0            D   10.164.50.1     Ethernet1/0/0 
    10.10.10.10/32 Direct   64   0            D   127.0.0.1       Vlanif3

    If the name of the VPN instance where the internal interface is located has been configured, run the display ip routing-table vpn-instance vpn-name command to check the routes.

    • If there is no correct route, reconfigure a route.
    • If the route is correct but the fault persists, contact technical support personnel.

Translation
简体中文
Download
Updated: 2023-05-18

Document ID: EDOC1100112351

Views: 519735

Downloads: 755

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :