No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Due to configured NAT Server’s double export leads to users access to internal server address restricted

Publication Date:  2019-07-17 Views:  769 Downloads:  0

Issue Description

As shown, many companies have two ISP export, such as A and B. Within the company deployed internal server for the external network users accessing. It demands the internal server’s private network address respectively configures two NAT Server in the firewall according to the A users and B users, for different users access to, namely NAT Server double export function.
After the configuration has been completed, found the A users can through the public network address X.X.2.2 visit internal server, B users can also through the public network address X.X.3.3 visit internal server, but B users cannot access A public network server address X.X.2.2, B user cannot access netcom public network server address X.X.3.3 either.

Alarm Information


Handling Process

In the process of configuring NAT Server double export, usually uses the following two ways:
1, Configuring based on different safety area, respectively designating the telecommunications users and netcom users into different safety area to provide different public IP address.
Under this mode, internal server active accesses external network based on different security region to choose corresponding reverse table do address mapping.
[sysname] nat server zone zone1 global inside
[sysname] nat server zone zone2 global inside
Zone1 is corresponded the safety area of telecom users; Zone2 is corresponded the safety area of netcom users.
2, configure no-reverse parameters, cancel to establish the reverse table.
Under this mode, usually do not allow internal server active accesses to the external network, if internal server need to access the external network, should according to this server additional configure the NAT function based on the source IP address.
[sysname] nat server global inside no-reverse
[sysname] nat server global inside no-reverse
After complete the above configuration, the A users can through the address access internal server, B users can through the X.X.3.3 address access internal server.
When the A user access B server’s address, message arrived, according to positive map convert the X.X.3.3 to, and send the message to the internal server; After the internal server’s reply message arrived, hit session table, through searching routing, found it is to be sent to the A user's message, the message will be send out directly from the near A user namely message arrived from B user interface, but was sent out from the A user interface.
At this point, if there are other firewall equipments between the A users, and the firewall configured the link state detection function, to the return path does not consistent message, not allowed to pass, and finally lead to message discarded.

Root Cause

Usually when the internal server uses public network address provides access, we are through configuring global NAT Server to achieve. Every time after configured a NAT Server will generate two global map, one is positive map, which is used for the external network users access to the internal server’s address conversion mapping; The other is the inverse mapping table, which is used for internal server active access the network address mapping.
When internal server’s one personal network IP address is mapped into two public IP address, will establish two inverse mapping table, under this kind of circumstance when internal server active accesses to the external network, there will be two mapping relationship, this is not allowed.


Configure NAT Server double exports main function is to realize the external network users visit nearby, suggest B users through B's public IP address access internal server, tA user through the telecommunication public IP address access internal server, so as to achieve rapid access, try to avoid cross access, so as not to affect the normal business.