[AF] Intranet addresses cannot access public network services published by DNAT. Configure bidirectional NAT to achieve this
Problem Description
A company uses DNAT to publish a server on the intranet to the public Internet. Public users can access it normally, but internal users cannot access it using the public address and port.
Warning Info
DNAT Policies configuration
5259163428efa85d6a.jpg (248.93 KB)
Process——
- Intranet user 10.0.1.200 accesses server 10.0.1.100:80 normally, but access to 1.1.1.1:80 is abnormal
- External users can access 1.1.1.1:80 normally
Through the above two steps, it is determined that the destination DNAT is published normally, but the intranet users cannot access it. After consulting 400, it is found that it is a DNAT defect, which can be solved by configuring bidirectional NAT;
Root cause
The intranet 10.0.1.200 cannot access the 1.1.1.1:80 port published by the destination DNAT. The reason is that after the internal access to the destination NAT, it directly accesses the interface of the Local. After the conversion, the source and Interfaces of the message are all the public network Interfaces address 1.1.1.1, which is directly replied to the Local itself. It is impossible to actually reply to the internal server 10.0.1.100, so it cannot be accessed;
solution
Solution: Configure bidirectional NAT and let the internal server publish DNAT mapping to both the internal and external networks to ensure that both the internal and external networks can access the destination server 10.0.1.100
Configure bidirectional NAT, which is similar to the destination NAT configuration. Just add the intranet area to the source Zones
8509263428f1e65783.jpg (17.45 KB)
Suggestions and Conclusion
Due to the drawbacks of DNAT publishing internal servers, bidirectional NAT is used to perfectly solve the problem that intranet users cannot access internal server publishing;
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1906&isOpen=true