Topology: public network--NE40(NAT)--private network user. Private network users under NE40 fail to ping the address of public network through NAT at NE40.
If the address of address pool of NE40 is in the same network segment with that of Ethernet interface, it needs to configure the nat match-host address-group-name command at Ethernet interface so that it could respond to the ARP request, which is sent to the Ethernet interface to find the destination of reverse NAT packets by remote router , with the address in address pool as destination. Also, it needs to configure the nat enable address-group address-group-name command in system view of system , separating the address in address pool into static route of 32-mask.
After analysis, the following probabilities may fail the ping of private network users under NE40 after NAT to public network:
(1) There is no route to address pool from public network.
(2) NAT fails.
(3)The route from NE40 to private network route after NAT is problematic.
Locate the problem as follows:
(1) Replace NE40 with firewall, and private network users could ping to public network through NAT, indicating that there is route from public to address pool.
(2) According to checkup for information on NE40, it is found that NAT session has been set up, indicating that NAT has succeeded.
(3) However, the ARP of address which is learned by uplink equipment of NE40 in address pool is problematic. Through analysis, the address of address pool and that of Ethernet interface are in the same network segment, so once the Ethernet interface receives the ARP request, it will not echo to it if the destination is not itself. To make NE40 echo to such an ARP request, it needs to configure the nat match-host address-group-name command for the Ethernet interface. After configuration of the command, the uplink equipment of NE40 could learn the ARP of address in address pool correctly, but private network users cannot ping to public network yet.
(4) According to packets captured through port mirroring, publick network has forwarded the packets to NE40, but NE40 does not transmit packets to private network users. After checkup for information of NE40, it is found that the black hole route of NAT address pool at NE40 does not take effect because the address of address pool and that of Ethernet interface of NE40 are in the same network segment. The direct route of NE40 enjoys the highest preference, so the black hole route of NAT address pool does not take effect. Therefore, configure nat enable address-group address-group-name command for NE40 to separate the address in address pool into static route of 32-mask; then, the route to private network users after NAT at NE40 is normal, and the problem has been solved. Private network users could ping to public network after NAT at NE40, and they could access network normally then.