[Troubleshooting]The NAT server does not take effect

 Fault Symptom

Employees and employees on business trips need to access the internal server of the company through the public network address. After the NAT server is configured, engineers cannot access the intranet server through the public network address. In this case, you need to locate the cause.

Through this article, we can learn how to troubleshoot when the nat server cannot be accessed. In this way, you can know how to troubleshoot the NAT server when it is unavailable.

Handling Approach

1. Find a PC on the public network and ping the public IP address of the firewall.

2. Public network port after Telnet mapping is attempted on the public network.

3. Try to access the mapped port on the public network.

4. Check whether security policies are correctly configured on the firewall.

5. Try direct access to the intranet server on the firewall

6. Check whether the NAT server configuration is normal.

7. Check whether the ASPF function is enabled.

8. Check whether the session table is normal on the firewall.

9. Configure traffic statistics on the firewall and check whether traffic has been received.

10. Check whether logs indicating NAT server failure exist on the firewall.

Handling Procedure

1. Find a PC on the public network and try to ping the public network address of the firewall. If you have read the previous article, you should first check whether the network between the terminal and the firewall is normal. For example, if we want to access an address, we need to test whether the network to this address is normal. If the communication fails, ensure that the network is normal. Then proceed to the next step.

   
   

2. On the public network, try the public network port after Telnet mapping. After the network connection between the terminal and the firewall is normal, We can continue to check whether the public network port number is normal. You can try to telnet the port number on the public network. If the telnet is successful, the port number is enabled. If the port cannot be accessed, you are advised to use another port and perform the test again. If the port can be accessed normally, go to the next step.

   
   

   

   
   

3. After the public network attempts to access the mapped port, the test is performed after the previous test succeeds. We can open the web page or other test tools and enter our public IP address + port. Check whether the intranet server can be accessed normally. If the intranet server cannot be accessed normally, go to the next step.

   
   

4. Check whether the security policy configuration is correct on the firewall. After the preceding steps are complete, check whether the security policy configuration is correct. We need to check whether the security policy configuration of the firewall is correct on the firewall itself. For example, check whether the security policy from the Untrust zone to the Trust zone is allowed and whether the port is allowed. Incorrect security policy configurations are common in firewalls. When configuring the firewall, pay attention to the security policy configuration.

   
   

5. Try to access the intranet server directly on the firewall and check the security policy. We need to try to check whether the intranet terminal is normal on the firewall itself. The purpose of this test is to test whether the network between the firewall and the server is normal. Test Method: Run the ping command to test the connectivity. Then, use the PC to telnet the port number of the server on the intranet to test whether the port number is normal. Check whether the internal server port is enabled and whether the network is normal.

   
   

6. Check whether the NAT server configuration is normal. We need to check the configuration of the NAT server and check whether the IP address and port number are correct. We also need to check whether a security zone is configured in the NAT server configuration. If a security zone is configured, cancel the security zone and try to access the NAT server again.

   
   

7. Check whether the ASPF function is enabled. The purpose of the ASPF function is to be used only after the multi-channel protocol is configured. For example, FTP and H.323. Check whether the ASPF function for these protocols is configured on the firewall. If it is not enabled, run the following command to enable it and perform the test.

   <HUAWEI> system

   [HUAWEI]firewall detect ftp

   [HUAWEI]firewall detect h323

   [HUAWEI]firewall detect sip

   
   

   
   

8. Check whether the session table is normal on the firewall. After the basic configuration is complete, check whether the session table is normal. We can continue to check the session table of the firewall to confirm the security zone of the traffic, the route, and whether the policy-based routing is configured. We can check out a lot of useful information through the session table.

   [HUAWEI] display firewall session table verbose destination inside 192.168.101.233

   Current Total Sessions: 8

   http VPN:public --> public ID: a48f3fd5143804f27574d65b8

   Zone: untrust--> trust TTL: 00:00:05 Left: 00:00:03

   Recv Interface: GigabitEthernet1/0/5

   interface: GigabitEthernet1/0/6 NextHop: 192.168.101.1 MAC: 00-18-82-c6-68-2c

   <--packets:0 bytes:0 -->packets:1 bytes:60

   123.1.1.10:3456-->192.168.101.233:80 PolicyName: Huawei

   
   

9. Configure traffic statistics on the firewall and check whether the firewall has received traffic. If we query the session, no information is displayed. If this parameter is left blank, you can configure traffic statistics to check whether the traffic has reached the firewall. If the firewall does not receive the traffic, Then, check whether the carrier blocks traffic or whether the downstream device does not return data packets.

   [HUAWEI] acl 3333

   [HUAWEI-acl-adv-3333] rule permit ip source 123.1.x.x 0 destination 192.168.101.233 0

   [HUAWEI-acl-adv-3333] quit

   [HUAWEI] diag

   [HUAWEI-diagnose] firewall statistic acl 3333 enable

   [HUAWEI-diagnose] display firewall statistic acl

   Current Show sessions count: 1

   Protocol(TCP) SourceIp(123.1.1.10) DestinationIp(192.168.101.233)

   SourcePort(1539) DestinationPort(1521) VpnIndex(public)

   RcvnFrag RcvFrag Forward DisnFrag DisFrag

   Obverse(pkts): 20 0 0 20 0

   Reverse(pkts): 0 0 0 0 0

   Discard detail information:

   INTERZONE_PACKET_FILTER_DROP: 20

   
   

10. Check whether the logs of the firewall contain the NAT server failure log information. If the fault cannot be detected after the preceding steps are complete, you need to check whether the fault is caused by the version or patch. In this case, collect diag logs and fault symptoms and contact the TAC center for assistance.