Sunteți pe pagina 1din 21

VRP Troubleshooting - VAS

Contents

Contents

2 NAT Troubleshooting

2-1

2.1 NAT Overview

 

2-2

2.1.1

NAT

Procedures

2-2

2.1.2 NAT

Features

2-3

2.1.3 VRP

NAT

2-3

2.2 Troubleshooting NAT

 

2-4

2.2.1 Typical Networking

2-4

2.2.2 Configuration Notes

2-5

2.2.3 Troubleshooting

Flowchart

2-7

2.2.4 Troubleshooting

Procedure

2-8

2.3 Troubleshooting Internal NAT Server

2-9

2.3.1 Typical Networking

 

2-9

2.3.2 Configuration Notes

2-10

2.3.3 Troubleshooting

Flowchart

2-11

2.3.4 Troubleshooting

Procedure

2-11

2.4 Troubleshooting Cases

2-12

2.4.1

Internal Host Fails to Access the External FTP Server

2-13

2.4.2

External Host Fails to Access the HTTP NAT Server

2-14

2.5 FAQs

2-15

2.6 Diagnostic Tools

 

2-16

2.6.1 display Commands

2-16

2.6.2 debugging Commands

2-18

Figures

VRP Troubleshooting - VAS

Figures

Figure

2-1

Network address translation

2-2

Figure

2-2

Networking diagram of NAT

2-4

Figure 2-3 Flow chart of NAT troubleshooting

2-7

Figure

2-4

Networking diagram of internal server

2-10

Figure 2-5 Flowchart of NAT server troubleshooting

2-11

Figure

2-6

Troubleshooting cases for NAT outbound

2-13

Figure 2-7 NAT server troubleshooting

2-14

ii

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co.,

Ltd.

Issue 01 (2008-08-20)

VRP Troubleshooting - VAS

2 NAT Troubleshooting

2 NAT Troubleshooting

About This Chapter

The following table shows the contents of this chapter.

Section

Description

2.1 NAT Overview

This section describes the knowledge you need to know before troubleshooting the NAT.

2.2 Troubleshooting NAT

This section describes the notes about configuring NAT, and provides the NAT troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.

2.3 Troubleshooting Internal

This section describes the notes about configuring the internal NAT network, and provides the internal NAT server troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.

NAT Server

2.4 Troubleshooting Cases

This section presents several troubleshooting cases.

2.5 FAQs

This section lists frequently asked questions and their answers.

2.6 Diagnostic Tools

This section describes common diagnostic tools: display commands and debugging commands.

2 NAT Troubleshooting

VRP Troubleshooting - VAS

2.1 NAT Overview

The Network Address Translation (NAT) is also called address proxy. It allows users in the private network to access the public network.

2.1.1 NAT Procedures

Private Network Address and Public Network Address

The private address is the internal network address or IP addresses of internal hosts.

The Internet Address Distribution Organization reserves the following IP addresses as the private network addresses:

From 10.0.0.0 to 10.255.255.255

From 172.16.0.0 to 172.31.255.255

From 192.168.0.0 to 192.168.255.255

The public address is the globally unique IP address used on the Internet.

Addresses in the preceding ranges can be allocated to the intranet but not the Internet. Different companies can use the same internal network addresses. If a company selects the network segments beyond these ranges as its internal network address, the internal user may fail to access the Internet or a public network host.

NAT

As shown in Figure 2-1, when an internal network host needs to access the Internet or a public network host, NAT is required.

Figure 2-1 Network address translation

PC WWW client 10.1.1.10/24 10.1.1.48/24 PC GE1/0/0 Internal network Pos2/0/0 External network 203.196.3.23/24
PC
WWW client
10.1.1.10/24
10.1.1.48/24
PC
GE1/0/0
Internal network
Pos2/0/0
External network
203.196.3.23/24
WWW Server
Internet
202.18.245.251/24

VRP Troubleshooting - VAS

2 NAT Troubleshooting

The internal network is on 10.0.0.0 network segment and the public network IP address assigned to this internal network is 203.196.3.23.

The internal host 10.1.1.48 accesses the external server 202.18.245.251 through NAT as follows:

The internal host sends a packet with the source IP address and port as 10.1.1.48:6084 and the destination IP address and port as 202.18.245.251:80.

When the packet passes through the router, the source IP address, and port of this packet are translated to 203.196.3.23:32814. The destination IP address and port are unchanged.

The router has an address-to-port mapping table. When receiving the response packets from the external server, the router translates the destination IP address and port of the packets to 10.1.1.48:6084.

NAT translates the IP address and port of the internal host to the external IP address and port of the router. It also translates the external IP address and port of the router to the IP address and port of the internal host. In general, NAT implements the translation between <private address + port> and <public address + port>.

2.1.2 NAT Features

NAT has the following features:

Transparent address distribution for users (the distribution of external addresses)

Transparent routing: Routing here refers to the capability of forwarding IP packets but not a technology to exchange routing information.

The advantages of NAT are as follows:

Allowing the Internal hosts to access the external network

Protecting the internal hosts

The disadvantages of NAT are as follows:

The packet header containing the IP address cannot be encrypted because the IP address need be translated. In application protocols, packets are not encrypted if they contain the address or port to be translated. For example, the encrypted FTP connection should not be used. Otherwise, the port command on FTP cannot be correctly translated.

Debugging the network is difficult because the IP address of the internal host is unavailable to the external. For instance, when a certain internal host tries to attack other networks, it is hard to point out the malicious host because their IP addresses are shielded.

2.1.3 VRP NAT

Supporting NAT ALG

The VRP NAT not only translates the common IP address but also provides an application level gateway (ALG) mechanism.

The VRP NAT has a good extensibility. It supports various protocols on the application layer such as DNS, FTP, TFTP, H.323, HWCC, ICMP, Internet Locator Service (ILS), MSN, Network Basic Input/Output System (NetBIOS), the Point-to-Point Tunneling Protocol (PPTP), and QQ.

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Supporting MPLS VPN

VRP NAT also permits users in different Multi-Protocol Label Switching (MPLS) Virtual Private Networks (VPNs) to access external hosts through the same egress.

When an MPLS VPN user wants to access the Internet,

NAT first translates the IP address and port of the internal host to the external IP address and port of the router.

In processing the response packet, NAT translates the external IP address and port to the IP address and port of the internal host.

During this process, NAT keeps recording the information about the MPLS VPN user.

NAT Performance

When the link bandwidth is less than 10 Mbit/s, NAT almost has no negative impact on network performance. When the link bandwidth is more than 10 Mbit/s, NAT slightly affects the router performance.

2.2 Troubleshooting NAT

This section covers the following topics:

Typical Networking

Configuration Notes

Troubleshooting Flowchart

Troubleshooting Procedure

2.2.1 Typical Networking

As shown in Figure 2-2, the PC in the internal network requires to access the external network through the NAT gateway.

Figure 2-2 Networking diagram of NAT

Internet
Internet

NAT

gateway. Figure 2-2 Networking diagram of NAT Internet NAT Eth 1/0/1 Eth 2/0/1 Ethernet PC 2-4

Eth 1/0/1

Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1

Eth 2/0/1

Ethernet

Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
Eth 2/0/1 Ethernet
diagram of NAT Internet NAT Eth 1/0/1 Eth 2/0/1 Ethernet PC 2-4 Huawei Proprietary an d

PC

VRP Troubleshooting - VAS

2 NAT Troubleshooting

2.2.2 Configuration Notes

Item

Sub-item

Description

Configuring

Configuring the ACL rule

Configure the Access Control List (ACL) rules, the source IP address and the destination IP address ranges as well as the related port numbers as required.

the ACL

Configuring

Configuring the NAT address group

Configure the address pool for NAT and specify the pool number and the available start IP address and end IP address.

the address

pool

 

Configuring

Specifying an interface

Specify the interface to be enabled with NAT.

the NAT

   

outbound

Configuring the

Specify the NAT in the outbound mode.

ACL and

outbound mode

address pool

Configuring the ACL Number

Specify the ACL number to be bound.

association

Configuring the address group number

Specify the address pool number to be bound.

Configuring the No PAT mode

Specify whether to use No PAT mode.

Configuring

Configuring the NAT ALG

Enable the ALG to be used.

the NAT

ALG

 

The following contents present the notes required to configure NAT outbound.

present the notes required to configure NAT outbound. The following covers part of commands in confi

The following covers part of commands in configuring NAT outbound and NAT ALG. For details, refer

to the VRP

Configuration Guide - Security and the VRP

Configuration Guide - IP Services.

Configuring the ACL Rule

Configure an ACL 3001 to permit the internal PC to access Telnet (port number is23).

[Router] acl number 3001 [Router-acl-adv-3001] rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination-port eq telnet

Configuring an Address Pool

Configure a No.2 address pool, with the start IP address as 46.1.1.20 and the end IP address as

46.1.1.30.

[Router] nat address-group 2 46.1.1.20 46.1.1.30

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Associating ACL Rules with the Address pools in the NAT Outbound

When a TCP packet from 192.168.1.0 passes through the NAT gateway, the source IP address is translated to an IP address in the address pool. The packet is then sent out from Ethernet

3/1/0.

[Router] interface Ethernet 1/2/0 [Router-Ethernet1/2/0] ip address 46.1.1.14 255.255.255.0 [Router-Ethernet1/2/0] nat outbound 3000 address-group 2

The host can obtain only the Telnet service because the ACL rule limits the destination port.

Packets that do not match ACL rules cannot access the external network and are then discarded.

Configuring NAT ALG for Related Protocols

Use the display nat alg command to view the current ALGs of protocols.

<Quidway> display nat alg NAT application level gateway information:

h323 NAT application level gateway is disabled dns NAT application level gateway is enabled netbios NAT application level gateway is enabled ils NAT application level gateway is enabled ftp NAT application level gateway is disabled icmp NAT application level gateway is enabled pptp NAT application level gateway is enabled hwcc NAT application level gateway is enabled qq NAT application level gateway is disabled msn NAT application level gateway is disabled

VRP Troubleshooting - VAS

2 NAT Troubleshooting

2.2.3 Troubleshooting Flowchart

Figure 2-3 Flow chart of NAT troubleshooting

The internal user fails to access the external network No Correct sessions on NAT gateway?
The internal
user fails to
access the external
network
No
Correct sessions
on NAT gateway?
Yes
Yes
Can NAT gateway
ping through the external IP
address?
No
Can NAT gateway ping through the external IP address? No Do ACL rules permit the internal
Do ACL rules permit the internal packets to pass through? Yes Does the internal router
Do ACL rules
permit the internal
packets to
pass through?
Yes
Does the internal
router has a route
to NAT gateway?
Yes
No
The fault
disappears?
No
Configure an ACL
rule to permit the
internal packets to
pass through
Are ALGs of
related protocols
enabled ?
Yes
The fault disappears?
Ensure correct packets sending and receiving on the external interface by checking the route on
Ensure correct packets
sending and receiving
on the external interface
by checking the route on
NAT gateway and
address pool on the
external interface
End
Seek technical support
Seek
technical
support

No

2 NAT Troubleshooting

VRP Troubleshooting - VAS

2.2.4 Troubleshooting Procedure

Step 1

Check the reachability between the internal host and the external network.

1.

Check the reachability between the internal host and the NAT gateway.

If the internal host fails to ping through the NAT gateway, check the IP addresses of the NAT inbound on the router or the physical link and the routes between them.

If the IP addresses of the internal host and the NAT inbound are not in the same network segment and no routes to the host is configured on the NAT gateway, configure a static route on it to make the internal packet reach the NAT gateway.

If routes are incorrect, first modify the routes.

 

2.

Check the reachability between the NAT gatway and the destination IP address.

The method to check the reachability between the NAT gateway and the destination is almost the same as that in checking the reachablity betwewn the internal host to NAT gateway. Note that in this step, you need to check whether the NAT outbound is correctly configured with an IP address or an IP address pool. For example, check whether the IP address of the NAT outbound conflicts with other IP addresses in this network segment.

In configuring an address pool on the NAT outbound, note that the address pool should not contain the destination IP address. For example, if the destination IP address is 202.99.6.3, the address pool range should not be from 202.99.6.1 to 202.99.6.10 so that it does not affect normal packets forwarding.

Use the display nat address-group command to view the configured address pool.

<Quidway> display nat address-group NAT address-group information:

 
 

2 : from

46.1.1.20 to

46.1.1.30, reference 8 times

Total 1 address-groups

Step 2

Check sessions on the NAT gateway.

On the internal PC, Telnet some host in the external network and then use the display firewall session table slot slot-id command to view whether a session is set up on NAT gateway. slot-id indicates the slot number of the NAT interface board. For example:

<Quidway> display firewall session table slot 3 TELNET: vpn:0,192.168.1.201:768[46.1.1.20:25290]-->46.1.1.64:23

Check the protocol and the IP address and port number carried in the session information.

The display in the bracket indicates the IP address and port after NAT. This IP address should be one of the addresses in the address pool. In the EasyIP mode, it is also the configured IP address of the NAT interface.

Using the display firewall session table verbose slot command, you can view the detailed session such as the time to live (TTL).

<Quidway> display firewall session table verbose slot 3 tcp, TELNET:0,

192.168.1.201:768-->46.1.1.64:23

46.1.1.20:25290-->46.1.1.64:23

State: 0x0,

tag: 0x80000980,

ttl: 00:00:20

left: 00:00:19

The EasyIP mode configuration is as follows:

VRP Troubleshooting - VAS

2 NAT Troubleshooting

[Quidway] interface Ethernet 3/1/0 [Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0 [Quidway-Ethernet3/1/0] nat outbound 3001

Step 3

Check the ACL rules bound with the NAT gateway.

The wrong ACL configurations, such as improper IP address, protocol, and port number, often make the internal packets unavailable to be sent out or the external packets unable to access the internal network.

Use the display acl all command to view all current ACL rules.

<Quidway> display acl all Total nonempty acl number is 1 Advanced ACL 3001, 1 rule Acl's step is 5 rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)

On the basis of the matching times of one ACL rule, check whether packets permitted by the ACL rule can pass through NAT. You can then know whether ACL rules take effect.

NAT. You can then know whether ACL rules take effect. ACL rules strictly specify certain available

ACL rules strictly specify certain available address ranges, protocols, and ports as required. After NAT is configured, if the internal network host cannot ping through the external network host, check whether the ACL rule permits ICMP packets.

Step 4

Check whether ALGs are enabled for specified protocols.

The internal host needs to access specific services such as FTP or H323 of the external network, but the file transmission or the voice and video data transmission fails. Then check whether the ALG is enabled.

Take FTP ALG as an example. To access FTP of the external network, you need to use the nat alg enable ftp command in the system view and then try to access the external network.

If the fault remains, contact Huawei technical personnel.

----End

2.3 Troubleshooting Internal NAT Server

This section covers the following topics:

Typical Networking

Configuration Notes

Troubleshooting Flowchart

Troubleshooting Procedure

2.3.1 Typical Networking

As shown in Figure 2-4, there are several servers in the internal network to provide services to the external hosts. They work as NAT internal servers.

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Figure 2-4 Networking diagram of internal server

FTP server WWW server WWW sever2 SMTP server 10.110.10.1 10.110.10.2 10.110.10.3 10.110.10.4 Enterprise internal
FTP server
WWW server
WWW sever2
SMTP server
10.110.10.1
10.110.10.2
10.110.10.3
10.110.10.4
Enterprise internal
Ethernet
Router
Internal PC
Internal PC
10.110.10.100
10.110.12.100
DDN
External
PC

2.3.2 Configuration Notes

The following presents notes in configuring the NAT server.

Item

Sub-item

Description

Configuring

Configuring the protocol

TCP, UDP, and ICMP are commonly used.

the NAT

   

server

Configuring the global address and port

External host can access the global address and port of the NAT server.

Configuring the inside address and port

It indicates the internal IP address and port of the host that provides practical service.

Configuring the VPN instance

Bind a VPN instance to the NAT server.

the VPN instance Bind a VPN instance to the NAT server. The following covers part of

The following covers part of commands in configuring the NAT server. For details, refer to the VRP Configuration Guide - Security.

Configure the NAT server.

[Router] interface Ethernet 6/0/0 [Router-Ethernet6/0/0] nat server protocol tcp global 46.1.1.66 www inside 10.100.10.2 www

Map the internal address 10.100.10.2 and port 80 of the Web server to the external address 46.1.1.66 and port 80 of the NAT server.

The NAT server is based on TCP, so it does not process ICPM packets. When the external host pings 46.1.1.66, it cannot get the response packets.

VRP Troubleshooting - VAS

2 NAT Troubleshooting

2.3.3 Troubleshooting Flowchart

Figure 2-5 Flowchart of NAT server troubleshooting

The external user fails to access NAT server No Correct sessions on NAT server? Yes
The external
user fails to
access NAT
server
No
Correct sessions
on NAT server?
Yes
Yes
Can external host
ping through the external interface
address of NAT server
Does the internal
router has a route
to NAT gateway?
No
Ensure NAT server
can work normally
Check the route between
the external interface on
NAT server and the
external host
Yes
The fault
End
disappears?
disappears?

No

and the external host Yes The fault End disappears? No Check NAT server Yes The fault

Check NAT server

Yes
Yes
The fault disappears?
The fault
disappears?

No

No Check NAT server Yes The fault disappears? No 2.3.4 Troubleshooting Procedure Step 1 Checking whether
No Check NAT server Yes The fault disappears? No 2.3.4 Troubleshooting Procedure Step 1 Checking whether

2.3.4 Troubleshooting Procedure

Step 1

Checking whether NAT is successful.

See Troubleshooting NAT.

Step 2

Ensure that the internal server works normally.

Try to access the internal server from other internal hosts to ensure that the internal server can provide services such as HTTP or FTP.

Step 3

Check the NAT server.

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Check whether the NAT server is configured with the correct protocol, port number, and IP address. Use the display nat server command to check configurations of the NAT server.

<Quidway> display nat server

Server in private network information:

GlobalAddr GlobalPort

InsideAddr InsidePort Pro

Interface:Ethernet3/1/0

46.1.1.66

80(www) 192.168.1.201

Total

1 NAT servers

80(www) 6(tcp)

VPN

Ref

(1)

Pay attention to the mapped internal address and port. When some service such as FTP or TFTP transmits data packets, several ports (some of them are random generated) are needed. Therefore, to configure the NAT server providing such services, you need not limit the ports to ensure the normal working of the internal server.

When VPN instances are configured on the internal and the external network interfaces of the router, bind the NAT server to a certain VPN instance. In this way, the internal server can work normally.

[Quidway] interface Ethernet3/1/0 [Quidway-Ethernet3/1/0] ip binding vpn-instance huawei [Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0 [Quidway-Ethernet3/1/0] nat server vpn-instance huawei protocol tcp global 46.1.1.66 any inside 192.168.1.201 any

protocol tcp global 46.1.1.66 any inside 192.168.1.201 any For details of configuring a VPN instance, refer

For details of configuring a VPN instance, refer to the VRP

Configuration Guide - VPN.

If the fault remains, contact Huawei technical personnel.

----End

2.4 Troubleshooting Cases

This section provides the following troubleshooting cases:

Internal Host Fails to Access the External FTP Server

External Host Fails to Access the HTTP NAT Server

VRP Troubleshooting - VAS

2 NAT Troubleshooting

2.4.1 Internal Host Fails to Access the External FTP Server

Fault Symptom

Figure 2-6 Troubleshooting cases for NAT outbound NAT GE2/0/1 202.99.8.6 Internet GE1/0/1 FTP Server 10.2.1.1/24
Figure 2-6 Troubleshooting cases for NAT outbound
NAT
GE2/0/1
202.99.8.6
Internet
GE1/0/1
FTP Server
10.2.1.1/24
202.99.8.75

PC

10.2.1.6/24

As shown in Figure 2-6, configure the NAT outbound on the router with which the internal PC can access the external network. The NAT outbound applies the EasyIP mode. It uses ACL 3000 that permits the PC only at 10.2.1.0/24 to access the external.

The fault is that the PC cannot access the FTP server.

Fault Analysis

1. On the PC, ping the NAT inbound 10.2.1.1 and then on the NAT gateway, ping the external FTP server. If the ping fails, the fault may lie in the wrong route on PC.

2. After you modify the route, the PC can ping through the NAT inbound but cannot access the FTP server. Then check the session on the NAT gateway and find no session is set up.

3. Check all ACLs.

4. The PC continues trying to access FTP server. Check whether the control connection is correct and the data can be transmitted.

5. Check and then find the NAT session is set up.

6. Check FTP ALG and find it is disabled.

Troubleshooting Procedure

Step 1

On the PC, specify packets to 202.99.8.0/24 being transmitted from 10.2.1.1.

Step 2

Use the display firewall session table slot 2 command to view the NAT session.

Step 3

Use the acl 3000 command and the undo rule 5 command in the system view. And then use the rule 5 permit ip source 10.2.1.0 0.0.0.255 command to configure an ACL rule.

Step 4

Use the display firewall session table slot 2 command again to view the NAT session.

Step 5

Use the display nat alg command to view FTP ALG status.

Step 6

Use the nat alg enable ftp command to enable FTP ALG.

----End

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Summary

From the preceding example, you need to:

Know that ACL plays an important role in transmission of packets through the NAT gateway.

Configure routes on the internal PC.

Enable FTP ALG on NAT outbound. Otherwise, the data transmission fails.

2.4.2 External Host Fails to Access the HTTP NAT Server

Fault Symptom

Figure 2-7 NAT server troubleshooting

NAT GE2/0/1 202.99.8.6/24 Internet GE1/0/1 10.2.1.1/24 PC 202.99.8.75/24
NAT
GE2/0/1
202.99.8.6/24
Internet
GE1/0/1
10.2.1.1/24
PC
202.99.8.75/24

HTTP Server

10.2.1.6/24

As shown in Figure 2-7, configure a NAT server on the router. Map the internal address 10.2.1.6 of HTTP server to the external address 202.99.8.6 and port 80.

The fault is that the external PC cannot access the HTTP server.

Fault Analysis

1. The internal server fails to ping through the NAT inbound 10.2.1.1 but the NAT gateway can ping through the external PC. The fault may then lie in the wrong route on the internal server.

2. Check the session on the NAT gateway.

HTTP:vpn:0,202.99.8.75:2658-->202.99.8.6:80[10.2.0.6:80]

The fault may lie in the NAT server. Continue to check it and find the following display.

nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www

Modify it to:

nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www

After the NAT server is modified, the external network can access the HTTP server.

Troubleshooting Procedure

Step 1

On the PC, specify packets to 202.99.8.0/24 to be transmitted from 10.2.1.1.

VRP Troubleshooting - VAS

2 NAT Troubleshooting

Step 2

Use the display firewall session table slot 2 command to view the NAT session.

Step 3

Check the current configuration of the egress GE 2/0/1.

Step 4

Use the undo nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www command to remove the wrong configuration.

Step 5

Use the nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www command.

Summary

----End

From the preceding example, you need to:

Configure routes on the internal PC.

Focus on the NAT server. Check whether the mapped internal host address is wrong based on the NAT session.

Use NAT sessions to view NAT status and locate the fault.

2.5 FAQs

Q: Why Cannot the Internal Host Ping Through the External Host?

A: Check whether:

There is a correct route to the external on the internal host.

The ACL permits ICMP packets to pass through the NAT gateway.

Q: When H323 Video Meeting Is Held Between the Internal and the External Networks, the Dialing Succeeds but the Internal Cannot View the External Video.

Why?A: The possible cause can be that H323 ALG is disabled. In addition to enable H323 ALG, you need to check all ACL rules to ensure all H323 packets can pass the NAT since H323 uses several TCP and UDP protocols.

Q: Why Cannot the External Network Ping Through the Configured NAT Server?

A: Check whether the ICMP packets are allowed to pass the NAT server and whether correct routes exist on the internal host.

Q: Why Cannot the NAT Server Work After Internal and External Interfaces Are Bound To Specified VPN Instances?

A: If the VPN instance is enabled, the NAT server should also bound to one VPN instance.

2 NAT Troubleshooting

VRP Troubleshooting - VAS

2.6 Diagnostic Tools

2.6.1 display Commands

Command

Description

display nat alg

Displays NAT ALG status.

display nat outbound

Displays the NAT outbound.

display firewall session table slot slot-id

Displays the session on a certain interface board

display firewall session table verbose slot slot-id

Displays the detailed session on a certain interface board.

display ip routing-table

Displays the routing table.

dis nat address-group

Displays the NAT address pool.

display acl all

Displays all ACL rules.

display nat server

Displays the NAT server.

display nat alg

<Quidway> display nat alg NAT application level gateway information:

h323 NAT application level gateway is disabled dns NAT application level gateway is enabled netbios NAT application level gateway is enabled ils NAT application level gateway is enabled ftp NAT application level gateway is disabled icmp NAT application level gateway is enabled pptp NAT application level gateway is enabled hwcc NAT application level gateway is enabled qq NAT application level gateway is disabled msn NAT application level gateway is disabled

display nat outbound

<Quidway> display nat outbound NAT outbound information:

Ethernet3/1/0: acl(3001) --- NAT address-group( 2) Total 1 nat outbounds

display firewall session table slot

<Quidway> display firewall session table slot 3 icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768

display firewall session table verbose slot

<Quidway> display firewall session table verbose slot 3 icmp, vpn:0,

VRP Troubleshooting - VAS

2 NAT Troubleshooting

192.168.1.201:768-->46.1.1.64:768

46.1.1.14:25290-->46.1.1.64:25290

tag: 0x80000980,

State: 0x0,

ttl: 00:00:20

display ip routing-table

<Quidway> display ip routing-table Routing Tables: Public

Destinations : 8

Routes : 8

left: 00:00:19

Destination/Mask Proto Pre Cost NextHop Interface

8.1.1.1/32

Direct 0

0

8.1.1.1

Serial3/0/0:0

8.1.1.10/32

Direct 0

0

127.0.0.1

InLoopBack0

127.0.0.0/8 Direct 0

0

127.0.0.1

InLoopBack0

127.0.0.1/32

Direct 0

0

127.0.0.1

InLoopBack0

172.1.1.0/24

Direct 0

0

172.1.1.14

Ethernet3/1/0

172.1.1.14/32

Direct 0

0

127.0.0.1

InLoopBack0

192.168.1.0/24 Direct 0

0

192.168.1.14

Ethernet4/1/0

192.168.1.14/32 Direct 0

0

127.0.0.1

InLoopBack0

display nat address-group

<Quidway> display nat address-group NAT address-group information:

0 : from

15.1.1.1

to

15.1.1.10, reference 0 times

1 : from

133.1.1.1

to

133.1.1.20, reference 0 times

display acl all

Total 2 address-groups

<Quidway> display acl all Total nonempty acl number is 2 Advanced ACL 3000, 3 rules Acl's step is 5 rule 5 permit ip source 15.1.1.2 0 destination 15.1.1.1 0 (8 times matched) rule 6 permit ip source 15.1.1.1 0 destination 15.1.1.2 0 (32 times matched) rule 10 deny ip (25458 times matched) Advanced ACL 3001, 1 rule Acl's step is 5 rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)

display nat server

<Quidway> display nat server

Server in private network information:

GlobalAddr GlobalPort

InsideAddr InsidePort Pro

Interface:Ethernet3/1/0

46.1.1.66

80(www) 192.168.1.201

Total

1 NAT servers

80(www) 6(tcp)

<Quidway>display nat alg ftp NAT application level gateway is disabled

VPN

Ref

(1)

Take FTP ALG as an example. The status can be enable or disable. You must set the status of the ALG to be enable

<Quidway> display nat outbound NAT outbound information:

Ethernet3/1/0: acl(3001) --- NAT address-group( 2)

2 NAT Troubleshooting

VRP Troubleshooting - VAS

Total 1 nat outbounds

The NAT outbound display contains the outbound, the bound ACL ID, and the address pool number.

<Quidway> display firewall session table slot 3 icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768

The session display contains:

Protocol type

VPN index

Source IP addresses

Port and destination IP address

Port

The display in bracket is the address and port after NAT. The arrow points to the destination party of the session. In the preceding example, the session is from the internal network to the external network.

<Quidway> display nat address-group NAT address-group information:

0 : from

15.1.1.1

to

15.1.1.10, reference 0 times

1 : from

133.1.1.1

to

133.1.1.20, reference 0 times

Total 2 address-groups

The address pool display contains the number and the address range of the address pool and matched times of the packet.

<Quidway> display nat server

Server in private network information:

GlobalAddr GlobalPort

InsideAddr InsidePort Pro

Interface:Ethernet3/1/0

46.1.1.66

80(www) 192.168.1.201

Total

1 NAT servers

80(www) 6(tcp)

The display on the NAT server contains:

Location of the NAT server.

External IP address and port.

Internal IP address and port.

Protocol type and the name of the VPN instance.

The number of times to adopt the VPN instance.

2.6.2 debugging Commands

VPN

Ref

(1)

Command

Description

debugging nat alg

Debugs the NAT ALG.

debugging nat event

Debugs the NAT event.

debugging nat packet

Debugs the NAT packet.

VRP Troubleshooting - VAS

2 NAT Troubleshooting

The output of the debugging nat { alg | event | packet } command is as follows:

*0.181276861 NE05 SEC/8/NAT:Slot=4; (IP forwarding) Forward : Pro : ICMP, ID : 48000,

(

210.1.1.2:43988 -

110.1.1.2:43988) ------>

(

110.1.1.12:55288 -

110.1.1.2:43988)

*0.181276950 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Reverse : Pro : ICMP, ID : 0,

(

110.1.1.2:55288 -

110.1.1.12:55288) ------>

(

110.1.1.2:55288 -

210.1.1.2:43988)

*0.181276950 NE05 SEC/8/NAT:Slot=4; NAT new mbuf vpn index=0 *0.181276951 NE05 SEC/8/NAT:Slot=4; (IP forwarding) Forward : Pro : ICMP, ID : 48002,

(

210.1.1.2:43988 -

110.1.1.2:43988) ------>

(

110.1.1.12:55288 -

110.1.1.2:43988)

*0.181276951 NE05 SEC/8/NAT:Slot=4;

(IP forwarding) Reverse : Pro : ICMP, ID : 1,

(

110.1.1.2:55288 -

110.1.1.12:55288) ------>

(

110.1.1.2:55288 -

210.1.1.2:43988)

The display contains:

Transmission direction of the packet. If packet transmission is in the same direction with the NAT session, the transmission state is Forward. Otherwise, it can be Reverse.

Protocol type of the packet.

Source address and port of the packet.

Destination address and port of the packet.

Address and port after NAT.