H3C Firewall-Loopback traffic problem (intranet terminal accesses internal server via extranet IP)

The topology is as follows:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7F/96/wKiom1cjLiuRHteCAAAm_KwrOak905.png "title=" 1.png " alt= "Wkiom1cjliurhtecaaam_kwroak905.png"/>

Environment Description:　

Intranet two network segment through the NAT function of firewall Internet, internal Web server: 10.1.20.200 map to public network 80 port, configuration information is as follows:

ACL number description Nat_source Rule 5 Permit source 10.1.20.0 0.0.0.255 Rule Ten permit source 192.168.10.0 0.0.0.2 55

Interface gigabitethernet0/0 Port Link-mode route NAT outbound $ NAT Server Protocol TCP global Current-interface 80 Inside 10.1.20.200 IP Address 124.133.33.223 255.255.255.0

Interface GIGABITETHERNET0/1 Port link-mode route IP address 172.19.10.253 255.255.255.0

After the above configuration, the public network can normally access the Web server, but if the intranet users use the public address 124.133.33.223 access to the Web server will fail, most of the online reference analysis of traffic processes such as:

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7F/96/wKiom1cjMeqS3UIiAABxECxegVU162.png "title=" 2.png " alt= "Wkiom1cjmeqs3uiiaabxecxegvu162.png"/>

Analysis:

The request sent by the client passes through the map transformation of the firewall, modifies the destination address of the packet, and finally the data is sent directly to the client by the Web server. This reply is determined by the client to be illegal (the request is 124.133.33.223 but the resulting 10.1.20.200 reply), resulting in an access failure.

I used the H3C F100-SG firewall, found in the 10.1.20.200 Web server through the capture packet, this process did not occur, that is, the client's request data did not reach the Web service side, but after the firewall was reached and interrupted the transmission. This behavior shows that after the packet arrives at the firewall, the firewall does not do the corresponding port mapping operation, but after the route is determined as the service to access the local processing.

Note: Under normal circumstances, access to the 124.133.33.223 80 port will be mapped conversion, but this did not happen, but directly as the access to the local 80 port this operation, such as: If the firewall Web management port is 80, at this time our intranet through the public address access to 80 port, Will get the Web management interface of the firewall, this operation has been verified by experiments.

In fact, through the configuration information can also be seen, my dnat is configured on the WAN (0/0) port, the external user's request from this port into the first pass through the Dnat map transformation, and then routed to the Web server after the judgment, and internal client traffic is from the LAN (0/1) port, Therefore, the Dnat conversion is not occurring, but the route is directly judged (sent to itself, handled by itself).

The above phenomenon flow chart is as follows:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7F/97/wKiom1cjO2GyOOTdAABv0mPztu8708.png "title=" 3.png " alt= "Wkiom1cjo2gyootdaabv0mpztu8708.png"/>

If you want to implement the network client normal access to the Web server, the first thing to do is to implement the conversion of Dnat, since this configuration only in the interface of the function, then the LAN port to do the configuration on it, after this operation, traffic is led to the Web server, that is, the second picture in the article shows the flow process, At this point, the reason for the failure is that the Web server responds directly to the request of the client, if the reply data of the Web server is passed through the firewall again, and the Dnat map restore operation can be done, we configure the LAN port Snat to implement, the configuration is as follows (other configuration is unchanged, only the LAN port configuration is modified):

Interface GIGABITETHERNET0/1 Port Link-mode route NAT Outbound-NAT Server-protocol TCP global 124.133.33.223 Side 10.1.20.200 IP Address 172.19.10.253 255.255.255.0

The flow chart is as follows:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/7F/97/wKiom1cjP1zzqkppAACHcS9gZYg079.png "title=" 4.png " alt= "Wkiom1cjp1zzqkppaachcs9gzyg079.png"/>

The client's request traffic is dnat by the firewall to the Web server, because the previous snat operation of the firewall, so that the Web server's reply data must go through the firewall again, the firewall through the NAT mapping relationship to restore operations, the final reply data reached the client.

This article is from the "retrograde person" blog, please be sure to keep this source http://lingyi.blog.51cto.com/2837715/1769079

H3C Firewall-Loopback traffic problem (intranet terminal accesses internal server via extranet IP)