Comware

I am currently having a problem with NAT on my 7102dl.

Outbound connections seem to be working fine, but when I configure any inbound connection, the NAT fails.

The inbound NAT I was attempting to setup for testing was a simple 1:1 NAT. I binded a second IP address to the WAN interface and assigned that IP address to the 1:1 NAT policy, but when I attempt to browse to the secondary IP address, I get the web interface of the 7102.

Below is the information from my setup:

ETH 0/1: 192.168.1.1 /24
ETH 0/2: xxx.xxx.53.227 /28

Routing Table:
0.0.0.0 0.0.0.0 xxx.xxx.53.225


Security Zone Assignments:
ETH 0/1: Private
ETH 0/2: Public

Security Zone: Private
======================
Name: Traffic to Pro Curve SR
Policy Action: Allow
Traffic Policy: Permit, Any > Any
Name: Port 80
Policy Action: NAT
NAT Type: Source with Overloading
NAT IP Address: Interface: ETH 0/2
Traffic Policy: Permit, Any > Any:80
Name: Port 53
Policy Action: NAT
NAT Type: Source with Overloading
NAT IP Address: Interface: ETH 0/2
Traffic Policy 1: Permit, UDP, 192.168.1.xxx:Any > Any:53
Traffic Policy 2: Permit, UDP, 192.168.1.yyy:Any > Any:53
Name: Port 443
Policy Action: NAT
NAT Type: Source with Overloading
NAT IP Address: Interface: ETH 0/2
Traffic Policy: Permit, Any > Any:443

Security Zone: Public
=====================
Name: WebServices
Policy Action: NAT
NAT Type: Destination
NAT IP Address: 192.168.1.xxx
Traffic Policy: Permit, Any > xxx.xxx.53.239 /32


If anyone had an idea of what is going wrong, I would be very thankful.

Hi

The NAT policy looks fine, you have Simply mapped a secondary IP on the WAN interface to the LAN side.

However, can you attach the Show Run and include the firmware version.

Good Luck !!!

Thanks for the response...

Please find attached, the information you requested. The firmware version is: 08.03

Looks about right.. can you try changing that secondary address to match the subnet mask of the primary address since it is overlapping?

e.g.

ip address xxx.xxx.53.227 255.255.255.240
ip address xxx.xxx.53.229 255.255.255.240 secondary

Thanks for the continued attention. I changed the netmask on the secondary WAN IP address to 255.255.255.240 but I am still having no luck getting thru to the machine on any port.

If I attempt to browse to the external IP at http://xxx.xxx.53.229, I get a login prompt for the router itself. I have tried disabling the port 80 web management interface and using 443 instead, but the packet still doesn't make it thru.

I have double checked that there is a web server running at the LAN IP address and that there is no HTTP header required. I can browse to the Local address, http://192.168.1.202 without problem, so I am 99% sure the problem lies in the router.

For testing, I emabled SMTP services on the server and attempted to telnet into port 25 with no luck. I also enabled telnet on the server, but when I attempt to telnet into the server, I get the router's telnet terminal service.

Both SMTP and Telnet are working correctly on the server when using it's LAN IP.

On a separate note, tonight I removed my configuration from the router and started over from scratch. From the console, I enabled the interfaces, assigned them their proper IP addresses, etc., and enabled telnet and web management interfaces. With this minimal configuration, I ran the firewall wizard and specified a web server at the proper LAN IP address. The wizard completed successfully and show run displayed a good configuration, but an attempt to browse to the external IP still directed me to the web management interface of the router.

Attached is an updated show run with the new secondary WAN netmask.

As before, any help and/or ideas would be appreciated.

Correction: When browsing to the WAN IP from outside the network, I don't receive the web management page... The connection simply times out.

The HTTP and Telnet management interfaces are only available if browsing to the WAN IP from within the LAN network.

Well, after spending a good part of this glorious Thanksgiving at the office, I have determined that the problem is past the router.

The webserver I was trying to NAT to had an external IP address binded to a local NIC and the default gateway was assigned to this NIC instead of the LAN NIC.

Sorry for the trouble to those who helped... Your efforts were very much appreciated!

Jim Roper

See comment above.