No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Policy-based Routing Affects Intrazone NAT

Publication Date:  2019-07-16 Views:  135 Downloads:  0

Issue Description

The customer uses USG5350 V100R003 and has two egresses: GigabitEthernet0/0/0 at connecting to  network 1 and GigabitEthernet0/0/1 connecting to  network 2. The downstream core switch is a Cisco 9306 switch. Multiple network segments are configured on the access-layer switch. The IP addresses of the two servers that are directly connected to the core switch are respectively and
For the network diagram and the configuration, see the attachment.
The customer wants to enable access from the intranet to the internal servers through the public network by configuring intrazone NAT. Policy-based routing and static route take effect, but the intrazone NAT does not.

Alarm Information


Handling Process

  1. Obtain the USG5350 version information, detailed configuration, and network diagram from the customer.
  2. Check the intrazone NAT configuration. No error is detected.
      nat-policy zone trust   
        policy 0
        action source-nat
        address-group 0
  1. Check for the default route to the USG5350 on the core switch. The route exists.
  2. View policy-based routing.
traffic classifier class1
 if-match acl 3001
traffic behavior behavior1
  remark ip-nexthop x.x.x.x output-interface GigabitEthernet0/0/0
qos policy mypolicy
 classifier class1 behavior behavior1
View the ACL 3001.
acl number 3001     
 description celueluyou
 rule 0 permit ip source 0
 rule 5 permit ip source 0
Policy-based routing specifies that all packets from and go to the extranet through interface G0/0/0. As a result, when an intranet host accesses the server, the firewall directs response packets from the server to interface G0/0/0. Therefore, the intranet host cannot receive the response packets.
  1. Change ACL 3001 that is cited by policy-based routing to:
acl number 3001    
 description celueluyou
 rule 0 deny ip destination
 rule 5 deny ip destination
 rule 10 deny ip destination
 rule 15 permit ip source 0
 rule 20 permit ip source 0
In this way, policy-based routing does not enable the firewall to forward packets that go to the intranet to the extranet interface.
The test after the modification indicates that intrazone NAT works normally.

Root Cause

  1. The command for configuring intrazone NAT on USG5350 V100R003 is different from those on other devices. Maybe the customer uses an incorrect command.
  2. An error occurs on the route.
  3. The software version does not match.


The command for configuring intrazone NAT on USG5350 V100R003 is different from the command on other models. In addition, the relevant guide does not provides a configuration example. As a result, a customer cannot view the configuration information by running the dis cur command, if any is configured for policy source or policy destination. This may cause you to think that the problem occurs because the customer configures intrazone NAT incorrectly.
Review the customer's configuration patiently, and determine whether configuration information relevant to intrazone NAT (for example, policy-based routing in this case) is related to the fault. Do not leave the problem to R&D engineers at will.