No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


Configuring NAT Server on the Eudemon 1000E-U/X and a PC Failing to Access a Server

Publication Date:  2013-05-02 Views:  1834 Downloads:  0
Issue Description
Networking architecture: PC------Eudemon 1000E-U/X-----server

Service description: Intranet users configure NAT Server through the Eudemon 1000E-U/X and extranet users access the server through the NAT Server.
Alarm Information
On the firewall, set port mapping. In this case, only some Web pages can be displayed if users access the server through extranet PCs. nat server protocol tcp global 18888 inside 18888 vrrp 5 nat server protocol tcp global 18443 inside 18443 vrrp 5 If global mapping is configured on the firewall, users can properly access the server. See the following: nat server protocol tcp global any inside any vrrp 5.
Handling Process
1. After port-based mapping and full-mapping are configured, check session table information. The result shows that the following bidirectional NAT session table occurs as follows when global mapping is configured. tcp  VPN: public -> public Zone: trust -> trust  TTL: 00:00:10  Left:  timeout Interface: G0/0/0  Nexthop:  MAC: 00-00-5e-00-01-17 <-- packets:12 bytes:2297   --> packets:18 bytes:3680[]-->[] 2. In addition to ports 18888 and 18443, the PC can access other ports. Capture packets on the PC. The result shows that the PC does not access other ports of the server.  3. If the PC does not access other ports of the server, the server automatically accesses other addresses. Capture packets. The result shows that the server accesses the global address of the server itself. In this case, configure intrazone NAT or NAT Server with full mapping.

2. In the case of full mapping, the server with the IP address of accesses the device with the IP address of In this case, flows in two directions hit one NAT Server to implement bidirectional NAT. Because the source port of the initiator is not numbered 18888, only the forward NAT is hit. The source address for sending packets to the server is still, the PC does not send any response packet because the IP address request carried in the packet is instead of This is why packets are not successfully captured.
Root Cause
When users access the server through PCs, the server is required to access some services on the server itself through the global address of NAT Server. However, ports of these services are not configured with NAT Server. To solve this problem, configure the intrazone NAT.
To solve this kind of issue, intrazone NAT need to be configured.