No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Due to hasn’t correctly configure “NAT server”, the users in “Trust domain” can’t access DMZ server

Publication Date:  2019-07-18 Views:  830 Downloads:  0

Issue Description

As shown in figure, a USG is deployed in the export of an enterprise, whose private user belongs to the Trust region and connects the USG through the interface GE0/0/2. The FTP server belongs to the DMZ area, provides FTP server for external and internal network, through the interface GE0/0/1 connects the USG. The interface GE0/0/3 of USG connects with Internet, which belongs to the Untrust area.
Firewall starts NAT function. The relevant configuration is as follows:
[sysname-interzone-trust-untrust] nat outbound 2000 address-group 1
[sysname] nat server global X.X.1.8 inside
Among them, the X.X.1.8 is the public network IP address of FTP server.
After the configuration has been completed, the users in Trust region can’t access to the private network address of FTP server, can only access to its public network address X.X.1.8.

Alarm Information


Handling Process

Modify NAT server command, add key word “zone”. Only apply the command between DMZ and Untrust domain.
[sysname] nat server zone untrust global X.X.1.8 inside

Root Cause

When configuring the command NAT server, we hasn’t designated key word “zone”, NAT server command applied between Trust and DMZ domain. Caused the users in Trust area can’t hit session table until they visited public network address.


When configuring “nat server” in the DMZ regional, if you want the users in Trust region to use the private network address access to FTP server, you must configure the key word “zone”.