The network diagram is as follows: The AR28 obtains a public IP address through PPPoE. The USG50 works in routing mode. The terminal PC is connected to the network through Layer-2 switch. The terminal PC can ping through the public IP address of the AR28, but cannot access the Web page.
1. The public IP address can be pinged through, which indicates that the router works normally. Set the DNS manually, but the external network still cannot be pinged through. Ping www.baidu.com. The domain name cannot be resolved. Therefore, the DNS address cannot be pinged through either. This indicates that the data that is sent does not reach the public network. Query sessions on the USG50. Request packets that are sent are available, but no reply packet is available. This indicates that the firewall works properly.
2. Remove the firewall, connect the PC, and set an IP address that is on the same network segment of the ingress of the AR28. It is discovered that the external network can be accessed. Connect the firewall, and perform NAT to translate the source address to the address of the egress of the firewall, it is discovered that the external network can be accessed. Check the NAT configuration of the AR28. The ACL is configured to allow the source address to be the network segment where the egress of the USG50 resides. The internal network is the address of another network segment. Therefore, the source IP address cannot be translated into an public IP address to access the external network.
After NAT, the AR28 is translated into the network segment where the egress of the USG50 resides, but not the segment network of the internal network. When the data packet reaches the router, it is detected that the source IP address does not match the ACL associated with the NAT, so the data packet is not processed. Therefore, the terminal PC can ping through the public IP address, but cannot access the external network.