Hello everyone,
Today I will share with you how to solve intranet PC can't access the internal server through the public IP on USG5500 REPRINT.
In the network shows in the above figure, PC Station and Server belong to the same LAN. The gateways are all configured on the GE0/0/1 of the firewall FW. They are all in trust zone. In order to allow Internet users to access the Web Server, Nat Server is deployed on the FW:
***************************************************************
Nat server global 200.1.1.100 inside 192.168.1.100
***************************************************************
The command enables the public network address 200.1.1.100 mapping to 192.168.1.100. After the above configuration is completed, Internet users can access the server through the public network IP address 200.1.1.100. However, when the PC on the intranet accesses the server, there is a problem: the PC can access the Web service on the server through the private IP address 192.168.1.100, but when the PC attempts to access the server by using the public address 200.1.1.100 mapped by the USG5500, it's failure. Let's analyze the process of PC accessing Server using public network address:
1) The PC uses the public network address 200.1.1.100 to attempt to access the server. First, a TCP three-way handshake is established. The source IP address of the packet is 192.168.1.1 and the destination address is 200.1.1.100. The data packet is sent to the gateway firewall.
2) The firewall has deployed the NAT server, so the destination address of the packet is translated to 192.168.1.100, and then the routing table is checked. It is found that the 192.168.1.0/24 network is directly connected to GE0/0/1.
3) The firewall sends the address-converted packet to the server.
4) After the server receives the data packet, it must answer the packet. Since the source address of the data packet received by the server is 192.168.1.1, when it generates the backhaul data packet, the destination address of the backhaul data packet is 192.168.1.1. 192.168.1.1 is a node in the local direct connection network. Therefore, the server directly sends the packet with the destination address of 192.168.1.100 and the destination address of 192.168.1.1 to the PC Station without going back to the firewall.
5) When the PC receives this packet, it finds that the source address of the packet is 192.168.1.100. The PC cann't recognize where the packet comes from? The PC is waiting for the 200.1.1.100 backhaul message, but now it received the packet from 192.168.1.100, the PC discards these packets. This is why the PC cannot access the server through the public IP address. The packet did not forwarded back to the firewall, in which cause the backhaul packet source address received by the PC didn't be translated correctly, then the TCP three-way handshake was unsuccessful. To solve this problem, the backhaul traffic should back to the firewall, and then let the firewall convert the source address to 200.1.1.100 and send it to the PC.
We can create a NAT address pool for the PC on the firewall, and then deploy the source address translation in the trust security domain:
***************************************************************
[FW] nat address-group 1 192.168.2.1 192.168.2.1
[FW] nat-policy zone trust
[FW-nat-policy-zone-trust] poliyc 10
[FW-nat-policy-zone-trust-10] policy source 192.168.1.0 0.0.0.255
[FW-nat-policy-zone-trust-10] policy destination 192.168.1.100 0
[FW-nat-policy-zone-trust-10] action source-nat
[FW-nat-policy-zone-trust-10] address-group 1
***************************************************************
After completing the above configuration, let's analyze the process of packet interaction:
1) The PC accesses the server using the public network address 200.1.1.100. First, a TCP three-way handshake is established. The source IP address of the packet is 192.168.1.1 and the destination address is 200.1.1.100. The data packet is sent to the gateway firewall.
2) Because the firewall is deployed with the nat server, the destination address of the packet is translated to 192.168.1.100, and then the source address translation is also deployed. The source address is 192.168.1.0/24 and the destination address is The 192.168.1.100 packet performs source address translation, converting the source address to 192.168.2.1, and it converts the source address of the packet.
3) The firewall sends the address-converted packet to the server:
4) After receiving the data packet, the server sends a backhaul message. The source address of the backhaul message is 192.168.1.100, and the destination address is 192.168.2.1. This packet is sent to the server's gateway 192.168.1.254, which is the firewall.
5) After receiving the data packet, the firewall replaces the source address 192.168.1.100 of the data packet with 200.1.1.100 and the destination address 192.168.2.1 with 192.168.1.1.
6) The firewall forwards the packet to the PC.
7) After receiving the packet, the PC finds that it is the 200.1.1.100 packet that it expects, so the TCP three-way handshake succeed.
That is all I want to share with you! Thank you!
Authorized reprint by author zhushigeng(Vinsoney)
