Got it
Huawei Enterprise Support Community
Community Forums Security
The intranet PC cannot ac...

The intranet PC cannot access the server normally.

Latest reply: Dec 2, 2018 13:17:23 1295 10 9 0 1
View the author 1#

Network Topology

http://support.huawei.com/hedex/pages/EDOC1000160161AZG0822G/03/EDOC1000160161AZG0822G/03/resources/zh-cn_image_0057334083.png

Issue Phenomenon

If the mapping to the port is configured on the firewall, only some web pages can be displayed when accessing the external network PC.

Nat server protocol tcp global 9.8.187.128 18888 inside 10.172.10.99 18888 vrrp 5

nat server protocol tcp global 9.8.187.128 18443 inside 10.172.10.99 18443 vrrp 5

And when configure full mapping on the firewall, you can access normally, as follows:

 

nat server protocol tcp global 9.8.187.128 any inside 10.172.10.99 any vrrp 5

 

Issue analysis

When the PC accesses the server, the server needs to access some of its own services through the global address of the nat server. The ports of these services do not do the nat server. You need to configure intra-domain NAT to resolve this issue.


1. After configuring port-based mapping and full mapping, view the session table information. It is found that the following bidirectional NAT session table appears when configuring full mapping.

   Tcp VPN: public -> public

   Zone: trust -> trust TTL: 00:00:10 Left: timeout

   Interface: G0/0/0 Nexthop: 10.172.11.249 MAC: 00-00-5e-00-01-17

   <-- packets:12 bytes:2297 --> packets:18 bytes:3680

   10.172.10.99:46915[9.8.187.128:46915]-->9.8.187.128:18888[10.172.10.99:18888]

 

2. In addition to accessing the 18888 and 18443 ports, the PC may also access other ports, but the PC captures the PC and does not access other ports of the server.


3. If the PC does not access other ports on the server, then the server must automatically access other addresses. Through packet capture analysis, this is the case, the server will access its own global address, so you need to configure intra-domain NAT or full mapping. Nat server.


4. Successful packet capture, the server 10.172.10.99 will initiate an access to 9.8.187.128, in this case both directions will hit the same nat server, do two-way NAT. Unsuccessful packet capture, because the source port of the initiator is not 18888, it can only hit the forward NAT, so the source address sent to the server at this time is still 10.172.10.99, after the pc receives the message because The request is 9.8.187.128 instead of 10.172.10.99, so there is no response to any message.

 

Like (9) Dislike (0) Favorite(1) Share Report
Previous: IPS Deployment Design
Next: Security Configuraiton- Firewall USG 6500
(0) (0)
2#
Torrent
Created Nov 6, 2018 02:51:53

Hi, author. thanks for sharing such a good example how to troubleshooting if intranet user cannot go to Internet

could you please explain more about firewall session, how to use this?

thanks very much.The intranet PC cannot access the server normally.-2795579-1
View more
  • x
  • convention:
(0) (0)
3#
yjhd
Created Nov 6, 2018 07:18:39

Successful packet capture, the server 10.172.10.99 will initiate an access to 9.8.187.128, in this case both directions will hit the same nat server, do two-way NAT. Unsuccessful packet capture, because the source port of the initiator is not 18888, it can only hit the forward NAT, so the source address sent to the server at this time is still 10.172.10.99, after the pc receives the message because The request is 9.8.187.128 instead of 10.172.10.99, so there is no response to any message.
View more
  • x
  • convention:
(0) (0)
4#
Mark.hu
Created Nov 6, 2018 07:22:52

Regarding this issue, I think it is something we often encounter. Before I encountered such a problem, the usual method was to release the security policy, but the risk is very high, so I will refer to your method in the future. Conduct troubleshooting, thank you for sharing
View more
  • x
  • convention:
(0) (0)
5#
lizhi94
Created Nov 6, 2018 07:25:34

When the PC accesses the server, the server needs to access some of its own services through the global address of the nat server. The ports of these services do not do the nat server. You need to configure intra-domain NAT to resolve this issue.
this intra-domain NAT is useful to solve this problem,thanks for your offering
View more
  • x
  • convention:
(0) (0)
6#
GongXiaochuan
Created Nov 6, 2018 07:34:56

NAT, also called network masquerading or IP masquerading, is a technology used to rewrite the source or destination IP address in an IP packet when it is in transit across a router or firewall. NAT is commonly used in the scenarios where multiple hosts use the same public IP address to access private networks

This post was last edited by GongXiaochuan at 2018-11-06 07:40.
View more
  • x
  • convention:
(0) (0)
7#
limgsc
Created Nov 6, 2018 09:42:34

your document is work for me , i get the point , fix my issue by your doc thanks you very much ,
also hope you public more doc that levle like this .
would you please also mention where from the technical detail , i can found it from orignial part .
from orignial part i can found more correct parameter , this is more important .
View more
  • x
  • convention:
(0) (0)
8#
No.9527
Created Nov 8, 2018 08:21:07

when NAT is required for all addresses of the network segment (For example: 192.168.1.0/24 except 192.168.1.2), you can configure a translation rule in which the source address is set to 192.168.1.2 and disable NAT for packets originating at 192.168.1.2. Then configure another translation rule for performing NAT for packets originating at the network segment 192.168.1.0/24.

By default, no action is configured in a NAT policy rule.
View more
  • x
  • convention:
(0) (0)
9#
lizhi94
Created Nov 13, 2018 09:43:27

PC cannot access the server normally,If the PC does not access other ports on the server, then the server must automatically access other addresses. Through packet capture analysis, this is the case, the server will access its own global address, so you need to configure intra-domain NAT or full mapping. Nat server.
View more
  • x
  • convention:
(0) (0)
10#
littlestone
Created Nov 26, 2018 13:03:15

The DNS standard currently defined in RFC2136 describes a series of rules that allow DNS to dynamically update records. DNS systems based on these rules can be called DDNS. Windows 2000 includes DNS systems that support DDNS standards. DDNS is an innovation of long-term name resolution standards, which will have a far-reaching impact on network planning and management.
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.