VRP Troubleshooting - VAS Contents
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
i
Contents
2 NAT Troubleshooting...............................................................................................................2-1 2.1 NAT Overview ..............................................................................................................................................2-2
2.1.1 NAT Procedures ...................................................................................................................................2-2 2.1.2 NAT Features .......................................................................................................................................2-3 2.1.3 VRP NAT .............................................................................................................................................2-3
2.2 Troubleshooting NAT....................................................................................................................................2-4 2.2.1 Typical Networking..............................................................................................................................2-4 2.2.2 Configuration Notes.............................................................................................................................2-5 2.2.3 Troubleshooting Flowchart ..................................................................................................................2-7 2.2.4 Troubleshooting Procedure ..................................................................................................................2-8
2.3 Troubleshooting Internal NAT Server ...........................................................................................................2-9 2.3.1 Typical Networking..............................................................................................................................2-9 2.3.2 Configuration Notes...........................................................................................................................2-10 2.3.3 Troubleshooting Flowchart ................................................................................................................2-11 2.3.4 Troubleshooting Procedure ................................................................................................................2-11
2.4 Troubleshooting Cases ................................................................................................................................2-12 2.4.1 Internal Host Fails to Access the External FTP Server ......................................................................2-13 2.4.2 External Host Fails to Access the HTTP NAT Server ........................................................................2-14
2.5 FAQs ...........................................................................................................................................................2-15 2.6 Diagnostic Tools..........................................................................................................................................2-16
2.6.1 display Commands.............................................................................................................................2-16 2.6.2 debugging Commands........................................................................................................................2-18
Figures VRP
Troubleshooting - VAS
ii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd. Issue 01 (2008-08-20)
Figures
Figure 2-1 Network address translation..............................................................................................................2-2
Figure 2-2 Networking diagram of NAT ............................................................................................................2-4
Figure 2-3 Flow chart of NAT troubleshooting ..................................................................................................2-7
Figure 2-4 Networking diagram of internal server ...........................................................................................2-10
Figure 2-5 Flowchart of NAT server troubleshooting ......................................................................................2-11
Figure 2-6 Troubleshooting cases for NAT outbound ......................................................................................2-13
Figure 2-7 NAT server troubleshooting............................................................................................................2-14
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-1
2 NAT Troubleshooting
About This Chapter
The following table shows the contents of this chapter.
Section Description
2.1 NAT Overview This section describes the knowledge you need to know before troubleshooting the NAT.
2.2 Troubleshooting NAT This section describes the notes about configuring NAT, and provides the NAT troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.
2.3 Troubleshooting Internal NAT Server
This section describes the notes about configuring the internal NAT network, and provides the internal NAT server troubleshooting flowchart and the troubleshooting procedure in a typical NAT network.
2.4 Troubleshooting Cases This section presents several troubleshooting cases.
2.5 FAQs This section lists frequently asked questions and their answers.
2.6 Diagnostic Tools This section describes common diagnostic tools: display commands and debugging commands.
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
2.1 NAT Overview The Network Address Translation (NAT) is also called address proxy. It allows users in the private network to access the public network.
2.1.1 NAT Procedures
Private Network Address and Public Network Address The private address is the internal network address or IP addresses of internal hosts.
The Internet Address Distribution Organization reserves the following IP addresses as the private network addresses:
From 10.0.0.0 to 10.255.255.255 From 172.16.0.0 to 172.31.255.255 From 192.168.0.0 to 192.168.255.255
The public address is the globally unique IP address used on the Internet.
Addresses in the preceding ranges can be allocated to the intranet but not the Internet. Different companies can use the same internal network addresses. If a company selects the network segments beyond these ranges as its internal network address, the internal user may fail to access the Internet or a public network host.
NAT As shown in Figure 2-1, when an internal network host needs to access the Internet or a public network host, NAT is required.
Figure 2-1 Network address translation
PC10.1.1.10/24
WWW client10.1.1.48/24 PC
GE1/0/0Internal network
External networkPos2/0/0203.196.3.23/24
WWW Server
202.18.245.251/24
Internet
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-3
The internal network is on 10.0.0.0 network segment and the public network IP address assigned to this internal network is 203.196.3.23.
The internal host 10.1.1.48 accesses the external server 202.18.245.251 through NAT as follows:
The internal host sends a packet with the source IP address and port as 10.1.1.48:6084 and the destination IP address and port as 202.18.245.251:80.
When the packet passes through the router, the source IP address, and port of this packet are translated to 203.196.3.23:32814. The destination IP address and port are unchanged.
The router has an address-to-port mapping table. When receiving the response packets from the external server, the router translates the destination IP address and port of the packets to 10.1.1.48:6084.
NAT translates the IP address and port of the internal host to the external IP address and port of the router. It also translates the external IP address and port of the router to the IP address and port of the internal host. In general, NAT implements the translation between <private address + port> and <public address + port>.
2.1.2 NAT Features NAT has the following features:
Transparent address distribution for users (the distribution of external addresses) Transparent routing: Routing here refers to the capability of forwarding IP packets but
not a technology to exchange routing information.
The advantages of NAT are as follows:
Allowing the Internal hosts to access the external network Protecting the internal hosts
The disadvantages of NAT are as follows:
The packet header containing the IP address cannot be encrypted because the IP address need be translated. In application protocols, packets are not encrypted if they contain the address or port to be translated. For example, the encrypted FTP connection should not be used. Otherwise, the port command on FTP cannot be correctly translated.
Debugging the network is difficult because the IP address of the internal host is unavailable to the external. For instance, when a certain internal host tries to attack other networks, it is hard to point out the malicious host because their IP addresses are shielded.
2.1.3 VRP NAT
Supporting NAT ALG The VRP NAT not only translates the common IP address but also provides an application level gateway (ALG) mechanism.
The VRP NAT has a good extensibility. It supports various protocols on the application layer such as DNS, FTP, TFTP, H.323, HWCC, ICMP, Internet Locator Service (ILS), MSN, Network Basic Input/Output System (NetBIOS), the Point-to-Point Tunneling Protocol (PPTP), and QQ.
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Supporting MPLS VPN VRP NAT also permits users in different Multi-Protocol Label Switching (MPLS) Virtual Private Networks (VPNs) to access external hosts through the same egress.
When an MPLS VPN user wants to access the Internet,
NAT first translates the IP address and port of the internal host to the external IP address and port of the router.
In processing the response packet, NAT translates the external IP address and port to the IP address and port of the internal host.
During this process, NAT keeps recording the information about the MPLS VPN user.
NAT Performance When the link bandwidth is less than 10 Mbit/s, NAT almost has no negative impact on network performance. When the link bandwidth is more than 10 Mbit/s, NAT slightly affects the router performance.
2.2 Troubleshooting NAT This section covers the following topics:
Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure
2.2.1 Typical Networking As shown in Figure 2-2, the PC in the internal network requires to access the external network through the NAT gateway.
Figure 2-2 Networking diagram of NAT
NAT
Eth 2/0/1
Eth 1/0/1
Ethernet
Internet
PC
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-5
2.2.2 Configuration Notes Item Sub-item Description
Configuring the ACL
Configuring the ACL rule
Configure the Access Control List (ACL) rules, the source IP address and the destination IP address ranges as well as the related port numbers as required.
Configuring the address pool
Configuring the NAT address group
Configure the address pool for NAT and specify the pool number and the available start IP address and end IP address.
Specifying an interface Specify the interface to be enabled with NAT.
Configuring the outbound mode
Specify the NAT in the outbound mode.
Configuring the ACL Number
Specify the ACL number to be bound.
Configuring the address group number
Specify the address pool number to be bound.
Configuring the NAT outbound ACL and address pool association
Configuring the No PAT mode
Specify whether to use No PAT mode.
Configuring the NAT ALG
Configuring the NAT ALG
Enable the ALG to be used.
The following contents present the notes required to configure NAT outbound.
The following covers part of commands in configuring NAT outbound and NAT ALG. For details, refer to the VRP Configuration Guide - Security and the VRP Configuration Guide - IP Services.
Configuring the ACL Rule Configure an ACL 3001 to permit the internal PC to access Telnet (port number is23).
[Router] acl number 3001
[Router-acl-adv-3001] rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination-port
eq telnet
Configuring an Address Pool Configure a No.2 address pool, with the start IP address as 46.1.1.20 and the end IP address as 46.1.1.30.
[Router] nat address-group 2 46.1.1.20 46.1.1.30
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-6 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Associating ACL Rules with the Address pools in the NAT Outbound When a TCP packet from 192.168.1.0 passes through the NAT gateway, the source IP address is translated to an IP address in the address pool. The packet is then sent out from Ethernet 3/1/0.
[Router] interface Ethernet 1/2/0
[Router-Ethernet1/2/0] ip address 46.1.1.14 255.255.255.0
[Router-Ethernet1/2/0] nat outbound 3000 address-group 2
The host can obtain only the Telnet service because the ACL rule limits the destination port.
Packets that do not match ACL rules cannot access the external network and are then discarded.
Configuring NAT ALG for Related Protocols Use the display nat alg command to view the current ALGs of protocols.
<Quidway> display nat alg
NAT application level gateway information:
h323 NAT application level gateway is disabled
dns NAT application level gateway is enabled
netbios NAT application level gateway is enabled
ils NAT application level gateway is enabled
ftp NAT application level gateway is disabled
icmp NAT application level gateway is enabled
pptp NAT application level gateway is enabled
hwcc NAT application level gateway is enabled
qq NAT application level gateway is disabled
msn NAT application level gateway is disabled
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-7
2.2.3 Troubleshooting Flowchart
Figure 2-3 Flow chart of NAT troubleshooting
The internal user fails to
access the externalnetwork
Can NAT gatewayping through the external IP
address?
Ensure correct packetssending and receiving
on the external interfaceby checking the route on
NAT gateway andaddress pool on the
external interface
Correct sessions on NAT gateway?
Yes
No
Do ACL rules permit the internal
packets topass through?
Configure an ACLrule to permit the
internal packets topass through
The fault disappears?
Seektechnicalsupport
End
Does the internalrouter has a routeto NAT gateway?
The faultdisappears?
Are ALGs ofrelated protocols
enabled ?
Yes Yes
Yes
Yes
NoNo
No
No
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-8 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
2.2.4 Troubleshooting Procedure Step 1 Check the reachability between the internal host and the external network.
1. Check the reachability between the internal host and the NAT gateway.
If the internal host fails to ping through the NAT gateway, check the IP addresses of the NAT inbound on the router or the physical link and the routes between them.
If the IP addresses of the internal host and the NAT inbound are not in the same network segment and no routes to the host is configured on the NAT gateway, configure a static route on it to make the internal packet reach the NAT gateway.
If routes are incorrect, first modify the routes.
2. Check the reachability between the NAT gatway and the destination IP address.
The method to check the reachability between the NAT gateway and the destination is almost the same as that in checking the reachablity betwewn the internal host to NAT gateway. Note that in this step, you need to check whether the NAT outbound is correctly configured with an IP address or an IP address pool. For example, check whether the IP address of the NAT outbound conflicts with other IP addresses in this network segment.
In configuring an address pool on the NAT outbound, note that the address pool should not contain the destination IP address. For example, if the destination IP address is 202.99.6.3, the address pool range should not be from 202.99.6.1 to 202.99.6.10 so that it does not affect normal packets forwarding.
Use the display nat address-group command to view the configured address pool.
<Quidway> display nat address-group
NAT address-group information:
2 : from 46.1.1.20 to 46.1.1.30, reference 8 times
Total 1 address-groups
Step 2 Check sessions on the NAT gateway.
On the internal PC, Telnet some host in the external network and then use the display firewall session table slot slot-id command to view whether a session is set up on NAT gateway. slot-id indicates the slot number of the NAT interface board. For example:
<Quidway> display firewall session table slot 3
TELNET: vpn:0,192.168.1.201:768[46.1.1.20:25290]-->46.1.1.64:23
Check the protocol and the IP address and port number carried in the session information.
The display in the bracket indicates the IP address and port after NAT. This IP address should be one of the addresses in the address pool. In the EasyIP mode, it is also the configured IP address of the NAT interface.
Using the display firewall session table verbose slot command, you can view the detailed session such as the time to live (TTL).
<Quidway> display firewall session table verbose slot 3
tcp, TELNET:0,
192.168.1.201:768-->46.1.1.64:23
46.1.1.20:25290-->46.1.1.64:23
tag: 0x80000980, State: 0x0, ttl: 00:00:20 left: 00:00:19
The EasyIP mode configuration is as follows:
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-9
[Quidway] interface Ethernet 3/1/0
[Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0
[Quidway-Ethernet3/1/0] nat outbound 3001
Step 3 Check the ACL rules bound with the NAT gateway.
The wrong ACL configurations, such as improper IP address, protocol, and port number, often make the internal packets unavailable to be sent out or the external packets unable to access the internal network.
Use the display acl all command to view all current ACL rules.
<Quidway> display acl all
Total nonempty acl number is 1
Advanced ACL 3001, 1 rule
Acl's step is 5
rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)
On the basis of the matching times of one ACL rule, check whether packets permitted by the ACL rule can pass through NAT. You can then know whether ACL rules take effect.
ACL rules strictly specify certain available address ranges, protocols, and ports as required. After NAT is configured, if the internal network host cannot ping through the external network host, check whether the ACL rule permits ICMP packets.
Step 4 Check whether ALGs are enabled for specified protocols.
The internal host needs to access specific services such as FTP or H323 of the external network, but the file transmission or the voice and video data transmission fails. Then check whether the ALG is enabled.
Take FTP ALG as an example. To access FTP of the external network, you need to use the nat alg enable ftp command in the system view and then try to access the external network.
If the fault remains, contact Huawei technical personnel.
----End
2.3 Troubleshooting Internal NAT Server This section covers the following topics:
Typical Networking Configuration Notes Troubleshooting Flowchart Troubleshooting Procedure
2.3.1 Typical Networking As shown in Figure 2-4, there are several servers in the internal network to provide services to the external hosts. They work as NAT internal servers.
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-10 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Figure 2-4 Networking diagram of internal server
Internal PC Internal PC
10.110.10.1 10.110.10.2 10.110.10.3 10.110.10.4
Enterprise internalEthernet Router
ExternalPC
FTP server WWW server WWW sever2 SMTP server
10.110.10.100 10.110.12.100
DDN
2.3.2 Configuration Notes The following presents notes in configuring the NAT server.
Item Sub-item Description
Configuring the protocol TCP, UDP, and ICMP are commonly used.
Configuring the global address and port
External host can access the global address and port of the NAT server.
Configuring the inside address and port
It indicates the internal IP address and port of the host that provides practical service.
Configuring the NAT server
Configuring the VPN instance
Bind a VPN instance to the NAT server.
The following covers part of commands in configuring the NAT server. For details, refer to the VRP Configuration Guide - Security.
Configure the NAT server.
[Router] interface Ethernet 6/0/0
[Router-Ethernet6/0/0] nat server protocol tcp global 46.1.1.66 www inside 10.100.10.2
www
Map the internal address 10.100.10.2 and port 80 of the Web server to the external address 46.1.1.66 and port 80 of the NAT server.
The NAT server is based on TCP, so it does not process ICPM packets. When the external host pings 46.1.1.66, it cannot get the response packets.
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-11
2.3.3 Troubleshooting Flowchart
Figure 2-5 Flowchart of NAT server troubleshooting
The externaluser fails toaccess NAT
server
No
Ensure NAT servercan work normally
YesCan external host
ping through the external interfaceaddress of NAT server
Check the route betweenthe external interface on
NAT server and theexternal host
Does the internalrouter has a routeto NAT gateway?
The faultdisappears?
End
Check NAT serverThe fault
disappears?
Correct sessions on NAT server?
Seek technicalsupport
Yes
Yes
Yes
No
No
No
2.3.4 Troubleshooting Procedure Step 1 Checking whether NAT is successful.
See Troubleshooting NAT.
Step 2 Ensure that the internal server works normally.
Try to access the internal server from other internal hosts to ensure that the internal server can provide services such as HTTP or FTP.
Step 3 Check the NAT server.
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-12 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Check whether the NAT server is configured with the correct protocol, port number, and IP address. Use the display nat server command to check configurations of the NAT server.
<Quidway> display nat server
Server in private network information:
GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Ref
Interface:Ethernet3/1/0
46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)
Total 1 NAT servers
Pay attention to the mapped internal address and port. When some service such as FTP or TFTP transmits data packets, several ports (some of them are random generated) are needed. Therefore, to configure the NAT server providing such services, you need not limit the ports to ensure the normal working of the internal server.
When VPN instances are configured on the internal and the external network interfaces of the router, bind the NAT server to a certain VPN instance. In this way, the internal server can work normally.
[Quidway] interface Ethernet3/1/0
[Quidway-Ethernet3/1/0] ip binding vpn-instance huawei
[Quidway-Ethernet3/1/0] ip address 46.1.1.14 255.255.255.0
[Quidway-Ethernet3/1/0] nat server vpn-instance huawei protocol tcp global 46.1.1.66
any inside 192.168.1.201 any
For details of configuring a VPN instance, refer to the VRP Configuration Guide - VPN.
If the fault remains, contact Huawei technical personnel.
----End
2.4 Troubleshooting Cases This section provides the following troubleshooting cases:
Internal Host Fails to Access the External FTP Server External Host Fails to Access the HTTP NAT Server
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-13
2.4.1 Internal Host Fails to Access the External FTP Server
Fault Symptom
Figure 2-6 Troubleshooting cases for NAT outbound
NAT
FTP Server202.99.8.75
GE2/0/1202.99.8.6
GE1/0/110.2.1.1/24
PC10.2.1.6/24
Internet
As shown in Figure 2-6, configure the NAT outbound on the router with which the internal PC can access the external network. The NAT outbound applies the EasyIP mode. It uses ACL 3000 that permits the PC only at 10.2.1.0/24 to access the external.
The fault is that the PC cannot access the FTP server.
Fault Analysis 1. On the PC, ping the NAT inbound 10.2.1.1 and then on the NAT gateway, ping the
external FTP server. If the ping fails, the fault may lie in the wrong route on PC. 2. After you modify the route, the PC can ping through the NAT inbound but cannot access
the FTP server. Then check the session on the NAT gateway and find no session is set up.
3. Check all ACLs. 4. The PC continues trying to access FTP server. Check whether the control connection is
correct and the data can be transmitted. 5. Check and then find the NAT session is set up. 6. Check FTP ALG and find it is disabled.
Troubleshooting Procedure Step 1 On the PC, specify packets to 202.99.8.0/24 being transmitted from 10.2.1.1.
Step 2 Use the display firewall session table slot 2 command to view the NAT session.
Step 3 Use the acl 3000 command and the undo rule 5 command in the system view. And then use the rule 5 permit ip source 10.2.1.0 0.0.0.255 command to configure an ACL rule.
Step 4 Use the display firewall session table slot 2 command again to view the NAT session.
Step 5 Use the display nat alg command to view FTP ALG status.
Step 6 Use the nat alg enable ftp command to enable FTP ALG.
----End
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-14 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Summary From the preceding example, you need to:
Know that ACL plays an important role in transmission of packets through the NAT gateway.
Configure routes on the internal PC. Enable FTP ALG on NAT outbound. Otherwise, the data transmission fails.
2.4.2 External Host Fails to Access the HTTP NAT Server
Fault Symptom
Figure 2-7 NAT server troubleshooting
HTTP Server10.2.1.6/24
NAT
PC202.99.8.75/24
GE2/0/1202.99.8.6/24
GE1/0/110.2.1.1/24
Internet
As shown in Figure 2-7, configure a NAT server on the router. Map the internal address 10.2.1.6 of HTTP server to the external address 202.99.8.6 and port 80.
The fault is that the external PC cannot access the HTTP server.
Fault Analysis 1. The internal server fails to ping through the NAT inbound 10.2.1.1 but the NAT gateway
can ping through the external PC. The fault may then lie in the wrong route on the internal server.
2. Check the session on the NAT gateway. HTTP:vpn:0,202.99.8.75:2658-->202.99.8.6:80[10.2.0.6:80]
The fault may lie in the NAT server. Continue to check it and find the following display.
nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www
Modify it to:
nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www
After the NAT server is modified, the external network can access the HTTP server.
Troubleshooting Procedure Step 1 On the PC, specify packets to 202.99.8.0/24 to be transmitted from 10.2.1.1.
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-15
Step 2 Use the display firewall session table slot 2 command to view the NAT session.
Step 3 Check the current configuration of the egress GE 2/0/1.
Step 4 Use the undo nat server protocol tcp global 202.99.8.6 www inside 10.2.0.6 www command to remove the wrong configuration.
Step 5 Use the nat server protocol tcp global 202.99.8.6 www inside 10.2.1.6 www command.
----End
Summary From the preceding example, you need to:
Configure routes on the internal PC. Focus on the NAT server. Check whether the mapped internal host address is wrong
based on the NAT session. Use NAT sessions to view NAT status and locate the fault.
2.5 FAQs
Q: Why Cannot the Internal Host Ping Through the External Host? A: Check whether:
There is a correct route to the external on the internal host. The ACL permits ICMP packets to pass through the NAT gateway.
Q: When H323 Video Meeting Is Held Between the Internal and the External Networks, the Dialing Succeeds but the Internal Cannot View the External Video. Why?A: The possible cause can be that H323 ALG is disabled. In addition to enable H323 ALG, you need to
check all ACL rules to ensure all H323 packets can pass the NAT since H323 uses several TCP and UDP protocols.
Q: Why Cannot the External Network Ping Through the Configured NAT Server?
A: Check whether the ICMP packets are allowed to pass the NAT server and whether correct routes exist on the internal host.
Q: Why Cannot the NAT Server Work After Internal and External Interfaces Are Bound To Specified VPN Instances?
A: If the VPN instance is enabled, the NAT server should also bound to one VPN instance.
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-16 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
2.6 Diagnostic Tools 2.6.1 display Commands
Command Description
display nat alg Displays NAT ALG status.
display nat outbound Displays the NAT outbound.
display firewall session table slot slot-id
Displays the session on a certain interface board
display firewall session table verbose slot slot-id
Displays the detailed session on a certain interface board.
display ip routing-table Displays the routing table.
dis nat address-group Displays the NAT address pool.
display acl all Displays all ACL rules.
display nat server Displays the NAT server.
display nat alg <Quidway> display nat alg
NAT application level gateway information:
h323 NAT application level gateway is disabled
dns NAT application level gateway is enabled
netbios NAT application level gateway is enabled
ils NAT application level gateway is enabled
ftp NAT application level gateway is disabled
icmp NAT application level gateway is enabled
pptp NAT application level gateway is enabled
hwcc NAT application level gateway is enabled
qq NAT application level gateway is disabled
msn NAT application level gateway is disabled
display nat outbound <Quidway> display nat outbound
NAT outbound information:
Ethernet3/1/0: acl(3001) --- NAT address-group( 2)
Total 1 nat outbounds
display firewall session table slot <Quidway> display firewall session table slot 3
icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768
display firewall session table verbose slot <Quidway> display firewall session table verbose slot 3
icmp, vpn:0,
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-17
192.168.1.201:768-->46.1.1.64:768
46.1.1.14:25290-->46.1.1.64:25290
tag: 0x80000980, State: 0x0, ttl: 00:00:20 left: 00:00:19
display ip routing-table <Quidway> display ip routing-table
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost NextHop Interface
8.1.1.1/32 Direct 0 0 8.1.1.1 Serial3/0/0:0
8.1.1.10/32 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoopBack0
172.1.1.0/24 Direct 0 0 172.1.1.14 Ethernet3/1/0
172.1.1.14/32 Direct 0 0 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 192.168.1.14 Ethernet4/1/0
192.168.1.14/32 Direct 0 0 127.0.0.1 InLoopBack0
display nat address-group <Quidway> display nat address-group
NAT address-group information:
0 : from 15.1.1.1 to 15.1.1.10, reference 0 times
1 : from 133.1.1.1 to 133.1.1.20, reference 0 times
Total 2 address-groups
display acl all <Quidway> display acl all
Total nonempty acl number is 2
Advanced ACL 3000, 3 rules
Acl's step is 5
rule 5 permit ip source 15.1.1.2 0 destination 15.1.1.1 0 (8 times matched)
rule 6 permit ip source 15.1.1.1 0 destination 15.1.1.2 0 (32 times matched)
rule 10 deny ip (25458 times matched)
Advanced ACL 3001, 1 rule
Acl's step is 5
rule 5 permit ip source 192.168.1.0 0.0.0.255 (9 times matched)
display nat server <Quidway> display nat server
Server in private network information:
GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Ref
Interface:Ethernet3/1/0
46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)
Total 1 NAT servers
<Quidway>display nat alg
ftp NAT application level gateway is disabled
Take FTP ALG as an example. The status can be enable or disable. You must set the status of the ALG to be enable
<Quidway> display nat outbound
NAT outbound information:
Ethernet3/1/0: acl(3001) --- NAT address-group( 2)
2 NAT Troubleshooting VRP
Troubleshooting - VAS
2-18 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Issue 01 (2008-08-20)
Total 1 nat outbounds
The NAT outbound display contains the outbound, the bound ACL ID, and the address pool number.
<Quidway> display firewall session table slot 3
icmp: vpn:0,192.168.1.201:768[46.1.1.14:25290]-->46.1.1.64:768
The session display contains:
Protocol type VPN index Source IP addresses Port and destination IP address Port
The display in bracket is the address and port after NAT. The arrow points to the destination party of the session. In the preceding example, the session is from the internal network to the external network.
<Quidway> display nat address-group
NAT address-group information:
0 : from 15.1.1.1 to 15.1.1.10, reference 0 times
1 : from 133.1.1.1 to 133.1.1.20, reference 0 times
Total 2 address-groups
The address pool display contains the number and the address range of the address pool and matched times of the packet.
<Quidway> display nat server
Server in private network information:
GlobalAddr GlobalPort InsideAddr InsidePort Pro VPN Ref
Interface:Ethernet3/1/0
46.1.1.66 80(www) 192.168.1.201 80(www) 6(tcp) (1)
Total 1 NAT servers
The display on the NAT server contains:
Location of the NAT server. External IP address and port. Internal IP address and port. Protocol type and the name of the VPN instance. The number of times to adopt the VPN instance.
2.6.2 debugging Commands Command Description
debugging nat alg Debugs the NAT ALG.
debugging nat event Debugs the NAT event.
debugging nat packet Debugs the NAT packet.
VRP Troubleshooting - VAS 2 NAT Troubleshooting
Issue 01 (2008-08-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
2-19
The output of the debugging nat { alg | event | packet } command is as follows:
*0.181276861 NE05 SEC/8/NAT:Slot=4;
(IP forwarding) Forward : Pro : ICMP, ID : 48000,
( 210.1.1.2:43988 - 110.1.1.2:43988) ------>
( 110.1.1.12:55288 - 110.1.1.2:43988)
*0.181276950 NE05 SEC/8/NAT:Slot=4;
(IP forwarding) Reverse : Pro : ICMP, ID : 0,
( 110.1.1.2:55288 - 110.1.1.12:55288) ------>
( 110.1.1.2:55288 - 210.1.1.2:43988)
*0.181276950 NE05 SEC/8/NAT:Slot=4;
NAT new mbuf vpn index=0
*0.181276951 NE05 SEC/8/NAT:Slot=4;
(IP forwarding) Forward : Pro : ICMP, ID : 48002,
( 210.1.1.2:43988 - 110.1.1.2:43988) ------>
( 110.1.1.12:55288 - 110.1.1.2:43988)
*0.181276951 NE05 SEC/8/NAT:Slot=4;
(IP forwarding) Reverse : Pro : ICMP, ID : 1,
( 110.1.1.2:55288 - 110.1.1.12:55288) ------>
( 110.1.1.2:55288 - 210.1.1.2:43988)
The display contains:
Transmission direction of the packet. If packet transmission is in the same direction with the NAT session, the transmission state is Forward. Otherwise, it can be Reverse.
Protocol type of the packet. Source address and port of the packet. Destination address and port of the packet. Address and port after NAT.