The customer uses USG5350 V100R003 and has two egresses: GigabitEthernet0/0/0 at 22.214.171.124/24 connecting to network 1 and GigabitEthernet0/0/1 126.96.36.199/24 connecting to network 2. The downstream core switch is a Cisco 9306 switch. Multiple network segments are configured on the access-layer switch. The IP addresses of the two servers that are directly connected to the core switch are respectively 188.8.131.52/24 and 184.108.40.206/24.
For the network diagram and the configuration, see the attachment.
The customer wants to enable access from the intranet to the internal servers through the public network by configuring intrazone NAT. Policy-based routing and static route take effect, but the intrazone NAT does not.
Obtain the USG5350 version information, detailed configuration, and network diagram from the customer.
Check the intrazone NAT configuration. No error is detected.
nat-policy zone trust
Check for the default route to the USG5350 on the core switch. The route exists.
View policy-based routing.
traffic classifier class1
if-match acl 3001
traffic behavior behavior1
remark ip-nexthop x.x.x.x output-interface GigabitEthernet0/0/0
qos policy mypolicy
classifier class1 behavior behavior1
View the ACL 3001.
acl number 3001
rule 0 permit ip source 220.127.116.11 0
rule 5 permit ip source 18.104.22.168 0
Policy-based routing specifies that all packets from 22.214.171.124 and 126.96.36.199 go to the extranet through interface G0/0/0. As a result, when an intranet host accesses the server, the firewall directs response packets from the server to interface G0/0/0. Therefore, the intranet host cannot receive the response packets.
Change ACL 3001 that is cited by policy-based routing to:
acl number 3001
rule 0 deny ip destination 188.8.131.52 0.0.0.255
rule 5 deny ip destination 10.0.0.0 0.255.255.255
rule 10 deny ip destination 192.168.0.0 0.0.0.255
rule 15 permit ip source 184.108.40.206 0
rule 20 permit ip source 220.127.116.11 0
In this way, policy-based routing does not enable the firewall to forward packets that go to the intranet to the extranet interface.
The test after the modification indicates that intrazone NAT works normally.
The command for configuring intrazone NAT on USG5350 V100R003 is different from the command on other models. In addition, the relevant guide does not provides a configuration example. As a result, a customer cannot view the configuration information by running the dis cur command, if any is configured for policy source or policy destination. This may cause you to think that the problem occurs because the customer configures intrazone NAT incorrectly.
Review the customer's configuration patiently, and determine whether configuration information relevant to intrazone NAT (for example, policy-based routing in this case) is related to the fault. Do not leave the problem to R&D engineers at will.