As shown in Figure 11-6, the USG is configured with NAT Outbound. Therefore, users on internal network segment 10.2.1.0/24 can access the external network. ACL 3000 ensures that only private users on network segment 10.2.1.0/24 can access the external network.
After the preceding configurations are complete, the PC with IP address 10.2.1.2 cannot access the FTP server with external IP address X.X.8.75.
After the route is correctly set on the PC, the PC can ping through 10.2.1.1 but still cannot access the FTP server normally. In this case, proceed to 2.
The internal PC cannot ping through internal interface 10.2.1.1 of the NAT gateway but the NAT gateway can ping through external server X.X.8.75. Therefore, the route on the PC may be set incorrectly.
After the route is correctly set on the PC, the PC can ping through 10.2.1.1 but still cannot access the FTP server normally. After checking the session information at the NAT gateway, you can find that no session is created.
Check the ACL configuration and you can find that ACL 3000 is configured as follows:
rule 5 permit ip source 10.1.1.0 0.0.0.255
The preceding display shows the configuration is incorrect. Modify it as follows:
rule 5 permit ip source 10.2.1.0 0.0.0.255
Continue to use the PC to access the FTP server. The control connection can be set up normally but the data cannot be transferred.
From the session information on NAT, only one session is from the internal PC to FTP server port 21 and no data connection session is set up.
Enable the FTP ALG function and attempt to access the external FTP server from the internal PC. Everything is normal and the packets can be transferred.
Through this case, you can conclude the following: