No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


USG5500 has multiple external network exports causes port mapping failed

Publication Date:  2012-11-24 Views:  432 Downloads:  0
Issue Description
 external network—USG5500—internal network
Customers made the following port mapping,
nat server 0 global inside
nat server 1 protocol tcp global www inside www
nat server 2 zone untrust global inside
nat server 3 zone trust global inside

ospf 1
default-route-advertise always
In the internal all can access server, but in the external network all can’t access, internal running OSPF routing, but has also imported the default routing. In the firewall can ping server address, when access from outside network, firewall also has session, check two-way session, there is inbound packets, but has not outbound packet.

[USG5500-hidecmd]dis firewall session table verbose_hide both-direction source global
20:35:20  2011/09/19
Current Total Sessions : 1
  http  VPN:public --> public
  Zone: untrust--> trust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/1  NextHop:  MAC: 00-e0-fc-3b-98-5b
  <--packets:0 bytes:0   -->packets:2 bytes:96>[]

  http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:05  Left: 00:00:05
  Interface: GigabitEthernet0/0/0  NextHop:  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0[]-->
Alarm Information
Handling Process
Problem has been positioned out, it is due to visit from the firewall, but out from the education network, which led to can’t access, this time if we do not change the networking, can solve through do inbound direction NAT, because after done the inbound direction NAT, it would transform the external network address to the address pool’s address when accessing, this is equivalent in the same LAN with the, so when the server returns to the package, it won't be out from education network.
Configuration is as follows:
nat-policy interzone trust untrust inbound
policy 0
  action source-nat                      
  address-group 1
Results authentication:
[USG5500-hidecmd]dis firewall session table destination global destination-port 80
13:08:08  2011/09/23
Current Total Sessions : 16[]-->[][]-->[][]-->[]

Then it can access normally.
Root Cause
1, at first think it is OSPF routing problem, but equipment also advertises the default route to the OSPF routing, default-route-advertise always
2, fire wall can ping server, and internal can also access, mapping has no problem, we found the “ inside” all mapped the public network address, consult customers, the inside server is education network address, education network also exists an export.
When the port mapping is not successful, if the configuration has no problem, at this time you can also consult customer whether there are other external network exports.