No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


USG5500 for port mapping,cannot access owing to exist various extranet export

Publication Date:  2012-09-26 Views:  534 Downloads:  0

Issue Description

Customer configuration are as follows:
nat server 0 global inside
nat server 1 protocol tcp global www inside www
nat server 2 zone untrust global inside
nat server 3 zone trust global inside

ospf 1
default-route-advertise always

we can access server in intranet,but can not in extranet,run OSPF routing in intranet,but diverted default route. In firewall can ping server,access from extranet,exist dialog in firewall,check double dialog,there are have inside packages,but no outside packages

[USG5500-hidecmd]dis firewall session table verbose_hide both-direction source global
20:35:20  2011/09/19
Current Total Sessions : 1
  http  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/1  NextHop:  MAC: 00-e0-fc-3b-98-5b
  <--packets:0 bytes:0   -->packets:2 bytes:96>[]

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/0  NextHop:  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0[]-->

Through these command can know there are exist inside packages,but no outside packages

Alarm Information


Handling Process

Positing fault already,due to access enter through firewall,but go out through education network,so result not access,at this time,in precondition of not change networking,can do inbound direct nat solved,because by that extranet address changed to address of pool address,  equal to in a same local,so server return package will not go to education network
nat-policy interzone trust untrust inbound
policy 0
  action source-nat                     
  address-group 1
results confirmation:
[USG5500-hidecmd]dis firewall session table destination global destination-port 80
13:08:08  2011/09/23
Current Total Sessions : 16[]-->[][]-->[][]-->[]

Root Cause

1 at beginning consider is ospf fault,but in configuration have been report default route to ospf route
default-route-advertise always
2 firewall can ping,and can access intranet,no fault in mapping,we found inside
This mapping are both public network address,ask customer,server is education network address,there is a export in education network


When port mapping unsuccessful,we check no fault in confirmation,at this time can ask inside of customer if have other exports,exclude this possibility