Some web sites cannot be accessed after NAT for MA5200F

Created: Mar 25, 2016 03:39:53Latest reply: Mar 25, 2016 12:16:01 914 1 0 0

After NAT for MA5200F, some web sites cannot be accessed, with the configurations as follows:
 nat acl 0 permit 10.10.100.0 0.0.3.255
 nat address-group 1 ×.×.×.255 ×.×.×.255
 nat outbound 0 address-group 1




  • x
  • convention:

Bluessss  Visitor   Created Mar 25, 2016 12:16:01 Helpful(0) Helpful(0)

Handling Process

1. The route exists, and it could ping to the address of the server at the peer;
2. The server is doubtful. Configure a PC at layer 3 interface of MA5200, and it could access the server at the peer. The server is proved normal;
3. Change the MTU of PC to 1400, but it cannot access the peer server, so the problem is independent of MTU;
4. Capture packets at the user side. It is found that the peer does not respond to the TCP negotiation packet sent by the user. PC may be problematic. But after replacing PC, the problem persists, so it is independent of PC.
5. Check the configurations. We could find that it is ×.×.×. 255 that serves as NAT address. So we conclude that the address ×.×.×.255 should be responsible for failure to access some web sites. The problem is solved as soon as replacing NAT address with non-broadcast address. 



Root Cause

 The possibilities include:



1. There is no route;
2. The peer server is problematic;
3. The MTU of PC of the user is problematic;
4. NAT translation address is problematic, including address confliction, illegal address, etc.
For this case, although the IP address of ×.×.×.255 for NAT translation could be used as a common IP (CIDR) after adding with a mask, it would be rejected by some servers, resulting in failure of access to them.




 



Suggestions
After NAT for broadcast address, some servers could respond to the broadcast address normally and reply the packet from a user, but some servers regard it as illegal and discard it directly, resulting in failure to open web page.  



  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top