4 troubleshooting procedures, 4 troubleshooting procedures -8 – Panasonic 8000 User Manual

4 NAT troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

4.2.4 Troubleshooting procedures

The troubleshooting procedures are as follows:

Step 1 Check that all interfaces are Up.

Run the display this interface command in the interface view to check whether the physical
and link status of each interface is Up. If an interface is Down, make the physical and link
status of the interface go Up and ensure that the directly connected interfaces can be
successfully pinged.

Step 2 Check that there are routes from the internal network to the external network.

Run the display ip routing-table command on the router in the internal network to check
whether there are routes to the external network segment where the destination IP address
resides. If there are no such routes, configure routes on the router in the internal network to
the external network segment where the destination IP address resides.

Step 3 Check that the address pool is associated with an ACL.

Run the display this command on the NAT interfaces to check whether the address pool is
associated with an ACL. If the address pool is associated with an ACL, run the display acl all
command to check the configuration of the ACL.

CP

NOTE

Ensure that there are rules in an ACL; otherwise, no address translation is performed.

Step 4 Check that ACL rules are correctly configured.

When you configure a NAT server based on multiple address pools, the ACL rules configured
on a same interface affect each other. Packets are matched in the ascending order of the ACL
rule numbers. Thus, you are recommended to set the numbers of the longest match rules to be

small.

For the multiple rules defined in an ACL, packets are matched in the ascending order of the
rule IDs. Thus, rules listed after the first matched rule are not considered.

Step 5 Check that the addresses in the address pool and the IP addresses of interfaces that connect

the public network are on the same network segment.

If they are not on the same network segment, you need to run the ip route-static

ip-address

{

m^ask

|

was^-length

} null0 command on the NAT router to configure a route to the network

segment where addresses in the address pool reside and specify the next hop to be Null0.

If the internal network hosts need to access the internal server through the IP address of the
public network, you need to check whether there are routes on the router of the public
network to the address pool. If there are no such routes, you need to run the ip route-static

ip-address

32 {

nexthop-address

|

interface-type interface-number

[

nexthop-address

] }

command on the router of the public network to configure a static route. This allows the
packets sent from hosts at the public network side destined for the addresses in the address
pool to be routed to the NAT devices.

After the configuration, if the fault persists, contact Nortel technical personnel.

--- End

The following sections describe the detailed troubleshooting steps.

4-8

Nortel Networks Inc.

Issue 01.01 (30 March 2009)