The customer have a Server on the internal network. They configure the NAT-Server on the USG6630, so that the user can visit it from the internet.
The topology just as below:
After the customer finish the configuration, the external user can visit the server from internet but the internal user can not.
First we checked the source NAT about the internal user, it is ok and the internal user can access internet normally.
We used the internal user to visit the internal server from the internet then we checked the firewall session,there is no session on the Firewall.
So we can know that the traffic is dropped by the Firewall.
We checked the NAT-Server configuration, it configure the source zone on the NAT-Server, just as below:
nat server VIP_DPIS 16 zone Extranal global x.x.x.x inside 192.168.10.103 unr-route
it means that only permit the user from the Extrannal Zone to visit the server, the internal user belong to the Internal Zone, so it can't visit it from internet.
After the customer removed the Zone configuration the internal user can visit it from internet.
When the customer configure the NAT-Sever they configure the Zone, so that the user from the other Zone can't access.
When you configure the NAT-Server you should know that which user need to visit the server from internet, so you can configure the right Zone or not configure it.