No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The NAT Server Configuration Does Not Take Effect on an NE20E-X6 Because of the Inappropriate NAT Priority Configuration

Publication Date:  2019-03-27 Views:  106 Downloads:  0

Issue Description

An NE20E-X6 is configured with the NAT server function, and the internal server has only one IP address. Different IP addresses need to be available for accessing different branches. The three previously configured NAT policies can work properly, but the newly configured NAT4 policy fails.

Handling Process

The analysis of user configuration shows that a total of four NAT instances are configured for the user. The first three NAT instances work properly, but the fourth NAT instance fails. The associated configuration is as follows:

nat instance 1 id 1
service-instance-group a
nat server protocol tcp global 10.46.164.65 inside 10.46.160.35
nat server protocol tcp global 10.46.164.66 inside 10.46.160.36
#
nat instance 2 id 2
service-instance-group a
nat address-group 1 group-id 1 144.172.XX.XX 144.172.XX.XX
nat outbound 2002 address-group 1
#
nat instance nat3 id 3
service-instance-group a
nat address-group address-group1 group-id 1 10.46.164.129 10.46.164.129
nat outbound 2005 address-group address-group1
nat server global 10.46.164.129 inside 10.46.160.33
#
nat instance nat4 id 4
service-instance-group a
nat address-group address-group1 group-id 1 10.46.164.161 10.46.164.161
nat outbound 2006 address-group address-group1
nat server global 10.46.164.161 inside 10.46.160.33
#
acl number 2002
rule 0 permit source 10.46.160.33 0
#
acl number 2005
rule 1 permit source 10.46.160.33 0
#
acl number 2006                           
rule 1 permit source 10.46.160.33 0

acl number 3999
rule 5 permit ip source 10.46.160.33 0 destination 9.234.1.0 0.0.0.255
#
traffic classifier renhang operator or
 if-match acl 2001
 if-match acl 2003
 if-match acl 2004
#
traffic classifier yewu1 operator or
 if-match acl 3999
 #
traffic classifier c1 operator or
 if-match acl 2005

traffic classifier bohai operator or
 if-match acl 2006
#
traffic behavior renhang
 nat bind instance 1
traffic behavior yewu1                    
 nat bind instance 2
traffic behavior b1
 nat bind instance nat3
traffic behavior bohai
 nat bind instance nat4


traffic policy renhang
 share-mode
 classifier yewu1 behavior yewu1 precedence 10
 classifier renhang behavior renhang precedence 100
 classifier c1 behavior b1 precedence 300
 classifier bohai behavior bohai precedence 310

Root Cause

1.The analysis of user configuration shows that the corresponding configuration of the new NAT server is nat instance nat4 id 4 and the associated ACL policy is ACL 2006.

acl number 2006                           
rule 1 permit source 10.46.160.33 0


2.The IP address 10.46.160.33 to be accessed is also used by ACL 2005 and associated with nat instance nat3 id 3. In traffic policy renhang, NAT3 is associated with classifier c1 behavior b1 precedence 300 and NAT4 is associated with classifier bohai behavior bohai precedence 310. As a result, the IP address 10.46.160.33 is always in nat instance nat3 id 3 with a higher priority and cannot match nat instance nat4 id 4.

traffic policy renhang
 share-mode
 classifier yewu1 behavior yewu1 precedence 10
 classifier renhang behavior renhang precedence 100
 classifier c1 behavior b1 precedence 300
 classifier bohai behavior bohai precedence 310

Solution

Change the nat instance nat4 id 4 configuration so that the priority of NAT4 is higher than that of NAT3. To ensure normal operation of NAT3 services, use an advanced ACL to specify the destination IP address of NAT4. Details are as follows:

       1.Create an advanced ACL and specify the corresponding 15 IP addresses in NAT4.

 acl number 3006 
 rule 1 permit source ip  10.46.160.33 0  destination  10.46.164.177  0.0.0.16

      2.Adjust the NAT4 policy.

nat instance nat4 id 4
service-instance-group a 
nat address-group address-group1 group-id 1 10.46.164.161 10.46.164.161
nat outbound 3006 address-group address-group1  
nat server global 10.46.164.161 inside 10.46.160.33

    3.Adjust the traffic policy and increase the priority of NAT4 so that the IP addresses matching ACL 3006 can be translated in NAT4 and      other IP addresses are translated in NAT3.
   
 traffic classifier bohai operator or
 if-match acl 3006
 traffic policy renhang
 share-mode
 classifier yewu1 behavior yewu1 precedence 10
 classifier renhang behavior renhang precedence 100
 classifier bohai behavior bohai precedence 200
 classifier c1 behavior b1 precedence 300 

END