No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Because the NAT transition port number configuration is wrong in the NAT SERVER, the NAT transition fail.

Publication Date:  2019-07-17 Views:  3 Downloads:  0

Issue Description

Network mode: the server --- SW--- FW (NAT) --- public network
Configuration description: in the FW configure NAT SERVER to make NAT transition for the server service under the SW (because the server different service for the different port).
Fault phenomenon: the server cannot PING pass the public network address.

Alarm Information


Handling Process

Check the FW configuration, find the following configuration:
nat server protocol udp global 40002 inside 40002
Check the FW SESSION TABLE and find that:
udp: vpn:0,[X.X.163.176:63088]-->X.X.163.171:40002
The port provided by the server is 3475, not 40002. So when the FW is in the matching, can't match to the 40002, so using the 63088 port to make the transition, thus become fault.
Change the port in the NAT SERVER configuration to be 3475, problem solved.

Root Cause

When FW use NAT SERVER command to make NAT transition, it is strictly according to the port number in the configuration command to make matching and transition. If NAT SERVER the port number in the configuration command is not consistent to the port actual server application, so when the FW received the message, only can matching the source IP and destination IP, can’t matching the port number, then random change a port to make NAT transition.


When configure NAT SERVER command, need to know exactly the port provided by the server end, so as to ensure the NAT translation successful.