No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


The USG2200 Handles the ACL and NAT Differently Due to Inconsistent Versions

Publication Date:  2012-07-24 Views:  59 Downloads:  0
Issue Description
The user requires that extranet users can only access the www port of the intranet PC ( The following is configured:
nat server protocol tcp global inside www
acl 3000
 rule 0 permit tcp destination 0 destination-port eq www
 rule 1 deny ip
firewall interzone trust untrust
 packet-filter 3000 inbound
The test result shows that extranet users can access any port of the intranet PC.
Alarm Information
Handling Process
Check the configuration. The configuration is correct.
Normally, address mapping is performed on the device. To restrict the access, you need to directly write the private address after mapping in the ACL. Check the ACL. The rule is not matched. Change the address in the ACL rule to the public address before NAT. The problem is solved.
Root Cause
1. The configuration is incorrect.
2. The intranet server is faulty.
3. The version is incorrect.
On USG2200 V1R1, the device first matches the ACL and then performs NAT. Therefore, if the address in the ACL is the private address after NAT, the ACL rule cannot be matched or take effect. Change the address in the ACL rule to the public address.
Modifications are made in USG2200 V1R2 and later versions. The device first performs NAT and then matches the ACL. In this case, the ACL takes effect only after the private address after NAT is restricted.