No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


User in intranet can not access in extranet

Publication Date:  2012-09-21 Views:  2 Downloads:  0

Issue Description

xx customer,USG9300 export result in can not access in extranet

Alarm Information


Handling Process

Inquire fluid configuration of SPU that XGE subport Whether has stream through
         Do display port xgigabitethernet port-number.subnumber in SPU,check input value display information to inquire fluid configuration
         If input field is 0,means no message into SPU,please see SPU proconfiguration in 《Quidway S9300 Tbit router switch configuration directory -SPU》
     If it is not correct,please do fluid configuration again
If it is correct,please do step 9
If input field is not 0,please do step 2
Inquire NAT Outbound of ACL policy,if permit NAT message pass。
Do display nat outbound in SPU,check if outbound port configure correct  NAT Outbound。
[Quidway]display nat outbound
NAT Outbound Information:
Port                     Acl      Address-group/IP      Type
XGigabitEthernet0/0/2.1      2000                  1        no-pat
  Total : 1  

View information we can know outbound of port XGigabitEthernet0/0/2.1 associated ACL is 2000
Then inquire whether ACL 2000 policy correct or not,if not configure correct ip address,port number or protocol type,will result in message can not passed network normally
Use command display acl 2000 review NAT outbound associated configuration
[Quidway] display acl 2000
Advanced ACL2000, 1 rule
Acl's step is 5
rule 5 permit source 0
We can see from ACL policy,type of message is TCP,only source is can matching this ACL policy
If ACL configuration was not correct,please configure it again
If ACL configuration was correct,fault is also existing,please do step 3
Inquire address pool
Do display nat address-group inquire whether binding address in NAT outbound in outbound port or not
[Quidway] display nat address-group 1
NAT Address-Group Information:
Index   Start-address      End-address
Total : 1    

For easy ip,require to do command display nat outbound in SPU to check information

[Quidway]display nat outbound
NAT Outbound Information:
Port                    Acl      Address-group/IP      Type
XGigabitEthernet0/0/1.200    2000      easyip
  Total : 1       
From above information we can knew,configuration of outbound port XGigabitEthernet0/0/1.200 is esay ip,and binding address pool is reported address。if NAT can not access,need to affirm
Binding ip address is ip address of port?if it is,we need to ensure validity of port address
Binding ip address is VRRP virtual address?if it is,at first,we need to ensure validity of port address,then ensure state of VRRP is Master,can do display vrrp to check VRRP state of this port

Root Cause

• User accessing inbound/outbound port of public network state down
• Did not configured NAT outbound in inbound/outbound port of public network
• ACL configuration not correct referenced by NAT outbound