Troubleshooting nat, Symptom 1: abnormal translation of ip addresses, Symptom 2: internal server functions abnormally – H3C Technologies H3C SecBlade FW Cards User Manual
Page 33: Configuration guidelines
26
Troubleshooting NAT
Symptom 1: abnormal translation of IP addresses
Solution: Enable debugging for NAT. Try to locate the problem based on the debugging display. Use
other commands, if necessary, to further identify the problem. Pay special attention to the source address
after the address translation and ensure that this address is the address that you intend to change to. If
not, there may be an address pool bug. Also ensure a route is available between the destination network
and the address pool segment. Be aware of the possible effects that the firewall or the ACLs have to NAT,
and also note the route configurations.
Symptom 2: internal server functions abnormally
Solution: Check whether the internal server host is properly configured; whether the secpath is correctly
configured with respect to the internal server parameters, such as the internal server IP address. It is also
possible that the firewall that has denied external access to the internal network. You can use the display
acl command to verify this.
Configuration guidelines
1.
When configuring address pools, note the following:
•
Do not exceed the maximum number of addresses contained in an address pool.
•
On certain types of devices, an address pool cannot include addresses in other address pools, IP
addresses of interfaces with Easy IP enabled, or public addresses of internal servers.
•
Low-priority address pools cannot include addresses in non low-priority address pools, external IP
addresses for one-to-one NAT, and public addresses of internal servers.
2.
When configuring NAT on a firewall, note the following limitations.
•
The rules of an ACL applied on an interface cannot conflict with one another. If the source and
destination IP addresses and VPN instance of two ACL rules are the same, a conflict occurs. For a
basic ACL (with a number from 2000 to 2999), if the source IP address and VPN instance of two
ACL rules are the same, a conflict occurs.
•
The Easy IP mode cannot be configured on the interface that has been configured as a DHCP client.
•
One address pool can only be configured on one VLAN interface.
3.
If 6(TCP) or 17(UDP) is not selected as the protocol type when configuring an internal server, you
can only configure the mapping between Internal IP and Global IP. In this case, the Internal Port
and Global Port options are not available.
4.
The address pool, dynamic NAT, static NAT, and internal server configurations can be modified
through Web pages. Note that the modification you make takes effect after the former
configuration is removed by the system.