No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
Troubleshooting the Fault that Users Fail to Access Intranet Servers
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting the Fault that Users Fail to Access Intranet Servers

Troubleshooting the Fault that Users Fail to Access Intranet Servers

Specification

This example applies to all models of AR routers in all versions.

Mechanism for Users Accessing Intranet Servers

To meet service requirements, enterprises often deploy intranet servers on the intranet to provide services, such as web and FTP services. Two typical configurations are available for users accessing intranet servers: Extranet hosts access intranet servers and intranet hosts access intranet servers.

Extranet Hosts Accessing Intranet Servers

As shown in Figure 1-1, static NAT can be configured to allow the AR router to provide services when an extranet host accesses an intranet server.

Figure 1-1 Extranet hosts accessing intranet servers

The process of static NAT is as follows:

  1. Host C on the extranet needs to access an intranet server. On Router, configure a static NAT entry that records the mapping between the public IP address+port number of the intranet server and its private IP address+port number, and add the entry to the NAT mapping table.
  2. Host C sends a packet whose destination IP address is 1.1.1.1 and port number is 20 to Router. After receiving the packet, Router searches NAT mapping entries based on the destination IP address+port number and finds the mapped private IP address+port number. Router then translates the destination IP address 1.1.1.1 to 10.1.1.1 and the port number 20 to 10, and forwards the packet to the intranet server.
  3. The intranet server sends a response packet to Host C using the private IP address and port number. After receiving the response packet, Router searches NAT mapping entries based on the source IP address+port number and finds the mapped public IP address+port number. Router then translates the source IP address 10.1.1.1 to 1.1.1.1 and the port number 10 to 20, and forwards the packet to Host C.

Intranet Hosts Accessing Intranet Servers

Figure 1-2 shows the process that an intranet host accesses an intranet server. If the intranet host accesses the intranet server using the private IP address, ensure that the route between them is reachable. If the intranet host accesses the internal server using the public IP address, static NAT is also required. If the private IP addresses of the intranet host and intranet server are on the same network segment, you need to configure outbound NAT in Easy IP mode and static NAT on the AR router's downlink interface connected to the intranet so that the PC and server on the intranet can communicate with each other through the AR router using the public IP address.

Figure 1-2 Intranet hosts accessing intranet servers

Configuring Users to Access Intranet Servers

The key to configuring users to access intranet servers is to configure static NAT. Static NAT defines the mapping between public IP address+port number and private IP address+port number so that extranet hosts can access intranet servers based on the mapping.

For details about the configuration procedure, see typical configuration examples for NAT.

Reasons Why Users Cannot Access Intranet Servers

Users cannot access intranet servers in the following scenarios:

  • Intranet users cannot access intranet servers using public IP addresses.
  • Extranet users cannot access intranet servers using public IP addresses.

This section provides typical fault locating roadmaps and troubleshooting methods for the problem that users cannot access intranet servers. Table 1-1 describes the possible causes and troubleshooting methods.

Table 1-1 Users cannot access intranet servers

Scenario

Possible Causes

Troubleshooting Method

An intranet user cannot access an intranet server using a public IP address.
  • Application services are disabled on the intranet server.
  • The NAT server is incorrectly configured on the device.
  • NAT ALG is disabled on the device.
  • No NAT mapping entry is generated on the device.
  • Outbound NAT is not configured on the downlink interface of the device.
  • The intranet server does not receive packets.
  • After receiving the packet, the intranet server does not send a response packet.
  • The intranet server is not routable to the public network.

Check whether the configurations are correct by referring to Troubleshooting the Fault that an Intranet User Fails to Access an Intranet Server.

An extranet user cannot access an intranet server using a public IP address.
  • Application services are disabled on the intranet server.
  • The NAT server is incorrectly configured on the device.
  • NAT ALG is disabled on the device.
  • No NAT mapping entry is generated on the device.
  • The intranet server does not receive packets.
  • After receiving the packet, the intranet server does not send a response packet.
  • The intranet server is not routable to the public network.

Check whether the configurations are correct by referring to Troubleshooting the Fault that an Extranet User Fails to Access an Intranet Server.

Troubleshooting the Fault that an Intranet User Fails to Access an Intranet Server

  1. Check whether application services on the intranet server are running properly.

    When an extranet user cannot access the services provided by the intranet server, check whether the corresponding services (such as HTTP and FTP services) and service ports are enabled. Attempt to access the intranet server from another intranet host to verify that the corresponding services are running properly, and log in to the intranet server through Telnet to check whether the corresponding service ports are enabled.

    <HUAWEI> telnet 192.168.1.2 1234
    • If the intranet server cannot be accessed and connecting is displayed in the command output, the corresponding ports on the peer device are disabled. In this case, check the intranet server and ensure that application services run properly and ports are enabled.
    • If the intranet server can be accessed and connected is displayed in the command output, application services on the peer device run properly and related ports are enabled. If the fault persists, go to 2.

  2. Check whether the NAT server is correctly configured.

    Run the display nat server command in any view to check whether the NAT server is configured on the correct interface and whether the protocol type, port number, and IP address are correctly configured.

    <HUAWEI> display nat server
    Nat Server Information:                                                      
    Interface  : GigabitEthernet1/0/0             
    Global IP/Port   : 1.1.1.1/1~2                                              
    Inside IP/Port   : 10.10.1.2~10.10.1.3/1                                      
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                 
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Description : ----                                                                                    
   Total :    1

    Verify that the mapped private IP address and port number are correct. When data packets of some services such as FTP and TFTP are transmitted, several ports (some of them are randomly generated) may be used. Therefore, when configuring the NAT server for providing these services, cancel the limitation on the ports so that the intranet server can provide services normally.

    • If the NAT server is incorrectly configured, modify the configuration.
    • If the NAT server is correctly configured but the fault persists, go to 3.

  3. Check whether NAT ALG is enabled.

    Run the display nat alg command in any view to check whether NAT ALG is enabled.

    <HUAWEI> display nat alg
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                               
----------------------------------
    • If the Status field of an application protocol is Disabled, run the nat alg { all | protocol-name } enable command to enable NAT ALG for the application protocol.
    • If the Status field of an application protocol is Enabled but the fault persists, go to 4.

  4. Check whether NAT mapping entries are generated.

    Run the display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ] command in any view to check whether NAT mapping entries are generated based on the source and destination IP addresses of packets before NAT.

    <HUAWEI> display nat session all verbose
  NAT Session Table Information:

     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21

     Protocol          : UDP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.3
       New DestPort    : 21

  Total : 2
    • If NAT-Info is empty, no NAT mapping entry is generated. You can collect traffic statistics on the public network interface to check whether the device receives packets. For details, see the following description. If no packet is received, check whether the packets have been sent by the peer device.

      The procedure for configuring traffic statistics collection is as follows:

      1. Run the traffic-filter { inbound | outbound } { acl | ipv6 acl } { acl-number | name acl-name } command to apply an ACL to an interface to filter packets on the interface.
      2. Run the display acl { acl-number | name acl-name | all } command to check whether the device receives packets.
    • If NAT mapping entries are generated but the fault persists, go to 5.

  5. Check whether outbound NAT is configured on the downlink interface.

    Run the display nat outbound command to check whether outbound NAT is correctly configured.

    <Huawei> display nat outbound 
 NAT Outbound Information:                                                      
 --------------------------------------------------------------------------     
 Interface                     Acl     Address-group/IP/Interface      Type    
 --------------------------------------------------------------------------    
 GigabitEthernet0/0/2         2000                              1    no-pat     
 --------------------------------------------------------------------------      
  Total : 1
    • If outbound NAT is incorrectly configured, run the nat outbound acl-number address-group group-index [ no-pat ] [ vrrp vrrpid ] command to configure NAT so that the intranet server and PC communicate with each other through the device.
    • If outbound NAT is correctly configured but the fault persists, go to 6.

  6. Check whether packets are properly sent to the intranet server.

    Obtain packets from the intranet server to check whether the packets are received.

    • If the packets are not properly sent to the intranet server, run the display ip routing-table command to check for the route from the public network to the intranet server. If there is no correct routing entry, check whether the intermediate device is faulty and reconfigure the route.
    • If the packets are properly sent to the intranet server but the fault persists, go to 7.

  7. Optional: Check whether the route from the intranet server to the public network is reachable.

    Run the ping command to check whether the route to the destination host is reachable.

Troubleshooting the Fault that an Extranet User Fails to Access an Intranet Server

  1. Check whether application services on the intranet server are running properly.

    When an extranet user cannot access the services provided by the intranet server, check whether the corresponding services (such as HTTP and FTP services) and service ports are enabled. Attempt to access the intranet server from another intranet host to verify that the corresponding services are running properly, and log in to the intranet server through Telnet to check whether the corresponding service ports are enabled.

    <HUAWEI> telnet 192.168.1.2 1234
    • If the intranet server cannot be accessed and connecting is displayed in the command output, the corresponding ports on the peer device are disabled. In this case, check the intranet server and ensure that application services run properly and ports are enabled.
    • If the intranet server can be accessed and connected is displayed in the command output, application services on the peer device run properly and related ports are enabled. If the fault persists, go to 2.

  2. Check whether the NAT server is correctly configured.

    Run the display nat server command in any view to check whether the NAT server is configured on the correct interface and whether the protocol type, port number, and IP address are correctly configured.

    <HUAWEI> display nat server
    Nat Server Information:                                                      
    Interface  : GigabitEthernet1/0/0             
    Global IP/Port   : 1.1.1.1/1~2                                              
    Inside IP/Port   : 10.10.1.2~10.10.1.3/1                                      
    Protocol : 6(tcp)                                                           
    VPN instance-name  : ----                                                 
    Acl number         : ----                                                   
    Vrrp id            : ----                                                   
    Description : ----                                                                                    
   Total :    1

    Verify that the mapped private IP address and port number are correct. When data packets of some services such as FTP and TFTP are transmitted, several ports (some of them are randomly generated) may be used. Therefore, when configuring the NAT server for providing these services, cancel the limitation on the ports so that the intranet server can provide services normally.

    • If the NAT server is incorrectly configured, modify the configuration.
    • If the NAT server is correctly configured but the fault persists, go to 3.

  3. Check whether NAT ALG is enabled.

    Run the display nat alg command in any view to check whether NAT ALG is enabled.

    <HUAWEI> display nat alg
NAT Application Level Gateway Information:                                      
----------------------------------                                              
  Application            Status                                                 
----------------------------------                                              
  dns                    Disabled                                               
  ftp                    Disabled                                               
  rtsp                   Enabled                                                
  sip                    Disabled                                               
  pptp                   Disabled                                               
----------------------------------
    • If the Status field of an application protocol is Disabled, run the nat alg { all | protocol-name } enable command to enable NAT ALG for the application protocol.
    • If the Status field of an application protocol is Enabled but the fault persists, go to 4.

  4. Check whether NAT mapping entries are generated.

    Run the display nat session source source-address [ source-port ] [ destination destination-address [ destination-port ] ] [ verbose ] command in any view to check whether NAT mapping entries are generated based on the source and destination IP addresses of packets before NAT.

    <HUAWEI> display nat session all verbose
  NAT Session Table Information:

     Protocol          : TCP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.30
       New DestPort    : 21

     Protocol          : UDP(6)
     SrcAddr  Port Vpn : 10.200.200.200 65532
     DestAddr Port Vpn : 10.100.100.100 1024
     Time To Live      : 60 s
     NAT-Info
       New SrcAddr     : 10.10.10.10
       New SrcPort     : 10240
       New DestAddr    : 10.30.30.3
       New DestPort    : 21

  Total : 2
    • If no NAT mapping entry is generated, you can collect traffic statistics on the public network interface to check whether the device receives packets. For details, see the following description. If no packet is received, check whether the packets have been sent by the peer device.

      The procedure for configuring traffic statistics collection is as follows:

      1. Run the traffic-filter { inbound | outbound } { acl | ipv6 acl } { acl-number | name acl-name } command to apply an ACL to an interface to filter packets on the interface.
      2. Run the display acl { acl-number | name acl-name | all } command to check whether the device receives packets.
    • If NAT mapping entries are generated but the fault persists, go to 5.

  5. Check whether packets are properly sent to the intranet server.

    Obtain packets from the intranet server to check whether the packets are received.

    • If the packets are not properly sent to the intranet server, run the display ip routing-table command to check for the route from the public network to the intranet server. If there is no correct routing entry, check whether the intermediate device is faulty and reconfigure the route.
    • If the packets are properly sent to the intranet server but the fault persists, go to 6.

  6. Optional: Check whether the route from the intranet server to the public network is reachable.

    Run the ping command to check whether the route to the destination host is reachable.

Collecting Fault Information and Seeking Technical Support

If the fault persists after the preceding steps, collect relevant information and contact technical support personnel.
  1. Collect fault information.
    • Collect all diagnostic information and export the information to a file.

      1. Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.

        <Huawei> display diagnostic-information dia-info.txt
  This operation will take several minutes, please wait.........................
..................................................................              
Info: The diagnostic information was saved to the device successfully.
      2. After the diagnostic information file is generated, export the file from the device using TFTP, FTP, or SFTP. For details, see Local File Management.

        • You can run the dir command in the user view to check whether the file is generated.

        • You can also run the display diagnostic-information command and save terminal logs in a diagnostic information file on a disk. For details, see Diagnostic File Obtaining Guide.

        • If this command displays a long output, press Ctrl+C to abort this command.

        • The display diagnostic-information command displays diagnostic information, which helps locate faults but may affect system performance. For example, the CPU usage may increase. Therefore, do not use this command when the system is running properly.

        • Do not run the display diagnostic-information command simultaneously on multiple terminals connected to the device. This is because doing so may significantly increase the CPU usage of the device and deteriorate the device performance.

    • Collect the log and alarm information on the device and export the information to a file.

      1. Run the save logfile command in the user view to save the log and alarm information in the buffer to a file.

        <Huawei> save logfile
Info: It may take several seconds,please wait...  
Save log file successfully.
      2. After the diagnostic information file is generated, export the file from the device using TFTP, FTP, or SFTP. For details, see Local File Management.

        You can also run the display logbuffer and display trapbuffer commands to view the log and alarm information on the device, and save the information in a diagnostic file on a disk. For details, see Diagnostic File Obtaining Guide.

  2. Seek technical support.

    Visit http://e.huawei.com/en/how-to-buy/contact-us to seek technical support.

    Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.

Typical Troubleshooting Cases

Extranet Users Cannot Access Intranet Servers After Ports on the Intranet Servers Are Configured as Well-Known Ports

Symptom

  • The NAT server is configured on Gigabitethernet 0/0/1 of an AR router to enable intranet servers to provide Telnet and web services for extranet users.
    <Huawei> system-view 
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 202.1.1.1 255.255.255.0
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 23 inside 1.1.1.1 telnet
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 80 inside 1.1.1.1 www
  • After the NAT server is configured, extranet users cannot access the AR router using public IP address 202.1.1.1:23 through Telnet. In addition, extranet users cannot access the AR router using public IP address 202.1.1.1:80 through the web system.

Cause Analysis

The command output shows that the AR router provides services for extranet users through well-known ports. The two well-known ports may be disabled on the Internet. As a result, the NAT server is unavailable. The fault is rectified after the ports are configured as non-well-known ports.

[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 202.1.1.1 255.255.255.0
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 1334 inside 1.1.1.1 telnet
[Huawei-GigabitEthernet0/0/1] nat server protocol tcp global current-interface 1335 inside 1.1.1.1 www

Conclusions and Suggestions

If the external port specified when the NAT server is configured is disabled, the NAT server is unavailable. Therefore, you are advised to configure external ports as non-well-known ports when configuring the NAT server.

An Extranet User Cannot Access an Intranet Server After Firewall Services Are Configured on an AR Router

Networking

Symptom

An extranet user cannot access an intranet server after firewall services are configured on an AR router. The fault is rectified after the firewall services are deleted.

The configuration of the AR router is as follows:

#
acl number 2001
rule 0 permit source 10.0.1.0 0.0.0.255
rule 1 permit source 10.0.2.0 0.0.0.255
rule 2 permit source 10.0.3.0 0.0.0.255
rule 3 permit source 10.0.0.0 0.0.0.255
rule 4 permit source 10.0.30.0 0.0.0.255
rule 5 deny
#
acl number 3102
rule 5 permit tcp destination 10.0.0.13 0
rule 45 deny ip
firewall zone untrust
 priority 1
firewall interzone trust untrust
 firewall enable
 packet-filter 3102 inbound
interface Vlanif30
ip address 10.0.30.1 255.255.255.0
zone trust
#
interface Ethernet0/0/4
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/1
 ip address 209.29.234.51 255.255.255.248
 nat server protocol tcp global current-interface 9010 inside 10.0.0.231 9010
 nat server protocol tcp global current-interface 9012 inside 10.0.0.232 9012
 nat server protocol tcp global current-interface 9014 inside 10.0.0.233 9014
 nat server protocol tcp global current-interface 9016 inside 10.0.0.234 9016
 nat server protocol tcp global current-interface 4899 inside 10.0.0.50 4899
 nat server protocol tcp global current-interface 5430 inside 10.0.0.36 5430
 nat server protocol tcp global current-interface 8081 inside 10.0.0.94 8081
 nat server global 209.29.234.51 inside 10.0.0.13
 nat outbound 2001
 zone untrust

Cause Analysis

According to the configuration file, Ethernet0/0/4 is connected to the intranet server, GigabitEthernet0/0/1 is connected to the Internet, and firewall services are configured. Packets from the extranet are processed through firewall services and then NAT services. When an extranet user accesses the intranet server at 10.0.0.13 (private IP address), public IP address 209.29.234.51 is used. However, the public IP address matching the ACL rule of the firewall services should be 209.29.234.51. The fault is rectified after the configuration is modified.

The configuration is modified as follows:

<Huawei> system-view 
[Huawei] acl number 3102
[Huawei] rule 5 permit tcp destination 209.29.234.51 0

Conclusions and Suggestions

You need to be familiar with the service process and correctly configure the IP address matching the ACL rule.

Translation
简体中文
Download
Updated: 2021-06-21

Document ID: EDOC1100200982

Views: 2446

Downloads: 27

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :