No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

After PBR Is Configured on an AR2240 Router's Intranet Interface, Intranet Users Cannot Access the Internal Server Using the Server's Public IP Address

Publication Date:  2019-07-12  |   Views:  1727  |   Downloads:  0  |   Document ID:  EKB1000090157

Contents

Issue Description

When PBR is configured on the AR2240 router's intranet interface GE0/0/0, HostA cannot access the internal server using the server's public IP address x.x.180.10, and can access the server using the public IP address after the PBR configuration is deleted.
 

Alarm Information

Ping the public IP address of the server from HostA. The ping operation fails.

Handling Process

Step 1 Run the display current-configuration command to check the configuration. The command output shows that traffic from intranet users to the public IP address x.x.180.10 is not redirected in the PBR configuration.

#
acl number 2000 
rule 10 permit source x.x.0.0 0.0.0.255
acl number 2999 
rule 5 permit                           
acl number 3001 
rule 11 permit ip source x.x.0.0 0.0.255.255 destination x.x.180.10 0
#
traffic classifier vlan11 operator or
if-match acl 3001
traffic classifier vlan10 operator or
if-match acl 2000
#
traffic behavior vlan11
traffic behavior vlan10
redirect ip-nexthop x.x.180.9
#
traffic policy vlan10
classifier vlan11 behavior vlan11
classifier vlan10 behavior vlan10
#
Interface GigabitEthernet0/0/0
ip address x.x.100.1 255.255.255.0
traffic-policy vlan10 inbound
nat server protocol tcp global interface GigabitEthernet0/0/2 www inside 192.168.0.140 www
#
interface GigabitEthernet0/0/2
description LianTong
ip address x.x.180.10 255.255.255.252
nat server protocol tcp global current-interface www inside 192.168.0.140 www
nat outbound 2999

Step 2 Analyze the ping operation from HostA to the server.

Phase 1: HostA sends data to the server.

Source                             Destination
 x.x.1.100                       x.x.180.10
 x.x.1.100                       x.x.0.140  //GE0/0/0 translates the public IP address x.x.180.10 to the private IP address   

x.x.0.140 based on the NAT flow table.
 x.x.100.1  //GE0/0/0 translates the private IP address x.x.1.100 to the public IP address x.x.100.1 based on the NAT flow table.           x.x.0.140

Phase 2: The server sends data to HostA.

Source                              Destination
 x.x.0.140                        x.x.100.1  //The traffic does not match ACL 3001 and is redirected.
 x.x.0.140                        x.x.1.100 ///GE0/0/0 translates the public IP address x.x.100.1 to the private IP address x.x.1.100 based on the NAT flow table.
 x.x.180.10  //GE0/0/0 translates the private IP address x.x.0.140 to the public IP address x.x.180.10 based on the NAT flow table.           x.x.1.100

----End

Root Cause

When the server sends data to HostA, the traffic does not match ACL 3001, but is redirected.

Solution

Configure the router not to redirect traffic from intranet users to the public IP address x.x.100.1.

acl number 3001
rule 11 permit ip source x.x.0.0 0.0.255.255 destination x.x.180.10 0
rule 12 permit ip source x.x.0.0 0.0.255.255 destination x.x.100.1 0  //Add a matching rule for traffic from intranet users to the public IP address x.x.100.1.

The fault is rectified after the matching rule is added.

Suggestions

Check the router status and information using commands to locate the fault. Use a correct troubleshooting roadmap, run correct commands, and analyze the corresponding command outputs.