why can't access internet after the AR is configured with NAT or firewall

1

The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets that are sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

Other related questions:
Configure VRRP on an AR router and connect the router to a firewall for external network access
The roadmap of configuring VRRP on an AR router and connecting the router to a firewall for external network access is as follows: 1. Configure VRRP on an AR router to implement two-node backup, and configure a virtual IP address. 2. Add the Layer 2 interface of a firewall on the intranet side to the same VLAN, and configure a VLANIF address. 3. Add the physical interface and VLANIF interface of the firewall to a security zone, and configure an inter-zone policy. 4. Configure the next hop for the route from the firewall to the intranet as a VRRP virtual IP address so that a normal link can be switched over to if an active link is interrupted. For details about the configuration, see the URL: Example for Connecting the AR to the Firewall Through VRRP.

FTP server cannot be accessed after NAT is configured on an AR
No matter whether intranet users access the FTP server on the public network or the IP address of the FTP server on the private network is mapped to a public IP address by a NAT server, the NAT ALG function for FTP needs to be enabled.
For example, enable the NAT ALG function for FTP as follows:
<Huawei> system-view  
[Huawei] nat alg ftp enable
Reason:
NAT and NAPT can translate only IP addresses in the IP packet header and the port numbers in the TCP/UDP header. For some special protocols such as FTP, IP addresses or port numbers may be contained in the Data field of the protocol packets. Therefore, NAT cannot translate the IP addresses or port numbers. A good way to solve the NAT issue for these special protocols is to use the application level gateway (ALG) function.
As a special translation agent for application protocols, the ALG interacts with the NAT-enabled device to establish states. It uses NAT state information to change the specific data in the Data field of IP datagram and complete other necessary work, so that application protocols can run across private and public networks.
For example, when an FTP server with a private IP address sets up a session with a host on the public network, the server may need to send its IP address to the host. NAT cannot translate this IP address because the IP address is carried in the Data field. The host on the external network then uses the private address carried in the IP packet and finds that the FTP server is unreachable.
After the NAT ALG function is enabled for an application protocol, packets of the application protocol can traverse the NAT device. Otherwise, the application protocol cannot work normally.
If the FTP server on the intranet is available and port mapping is configured, after NAT ALG is enabled for FTP, the FTP service can be used after the mapping between port and FTP is configured.
After NAT ALG is enabled for FTP, FTP packets can traverse the NAT device. Because port mapping is configured, the device does not know that packets sent from port 27 are FTP packets. Therefore, the device does not send FTP packets to the ALG, affecting the FTP service.
To solve this problem, configure the mapping between port and FTP:
[huawei] acl 2005
[huawe-acl-basic-2005]rule permit
[huawe-acl-basic-2005]quit
[huawei] port-mapping ftp  port 27 acl 2005

Why is service (such as voice) interrupted after being configured with NAT or firewall
The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top