The configuration conflict between nat address-group address and nat server address

This case applies to boxed firewalls and LB devices.

According to on-site feedback, when the nat group address and nat server address are configured at the same time on SecPath L5030 (V7) xxx.7.197.248, a conflict is reported. However, the configuration can be successfully configured, and the on-site feedback indicates that the configuration can run normally. The customer wants to confirm whether the configuration report address conflict has any impact. Tested with the laboratory firewall, the same error was reported, and nat outbound and nat server took effect at the same time.  

Phenomenon:

[H3C-address-group-4]address XXX.XXX.197.248 XXX.XXX.197.248 

[ H3C-GigabitEthernet2/0/1]nat server protocol tcp global  XXX .XXX.197.248 81 inside 10.6.53.138 81 

IP address XXX.XXX.197.248 conflicts with the existing nat address group, please exclude it from the address group. 

[ H3C -GigabitEthernet2/0/1]dis th 

#

 interface GigabitEthernet2/0/1 

port link-mode route 

nat outbound address-group 4 

nat server protocol tcp global xxx.XXX.197.248 81 inside 10.6.53.138 81 rule ServerRule_14 

# 

Laboratory simulation, security policy and routing configured.

Simulate terminal:

[PC-GigabitEthernet1/0/10]dis th

#

interface GigabitEthernet1/0/10

port link-mode route

ip address xxx.xxx.190.177 255.255.255.252

#

Firewall simulation LB:

[F1030-NEW-LoopBack1]DIS TH

#

interface LoopBack1

ip address 1.1.1.1 255.255.255.0

#

[F1030-NEW-address-group-4]dis th

#

nat address-group 4

address xxx.xxx.197.248 xxx.xxx.197.248

#

[F1030-NEW-GigabitEthernet2/0/10]dis th

#

interface GigabitEthernet2/0/10

port link-mode route

ip address xxx.xxx.190.178 255.255.255.252

nat outbound address-group 4

nat server global xxx.xxx.197.248 inside 1.1.1.1 rule ServerRule_15

#

Firewall ping terminal:

ping -a 1.1.1.1 xxx.xxx.190.177

Ping xxx.xxx.190.177 (xxx.xxx.190.177) from 1.1.1.1: 56 data bytes, press CTRL+C to break

56 bytes from xxx.xxx.190.177: icmp_seq=0 ttl=255 time=0.868 ms

56 bytes from xxx.xxx.190.177: icmp_seq=1 ttl=255 time=0.333 ms

56 bytes from xxx.xxx.190.177: icmp_seq=2 ttl=255 time=0.337 ms

56 bytes from xxx.xxx.190.177: icmp_seq=3 ttl=255 time=0.304 ms

56 bytes from xxx.xxx.190.177: icmp_seq=4 ttl=255 time=0.324 ms

--- Ping statistics for xxx.xxx.190.177 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.304/0.433/0.868/0.218 ms

display session table ipv4 destination-ip xxx.xxx.190.177 verbose

Initiator:

  Source      IP/port: 1.1.1.1/36775

  Destination IP/port: xxx.xxx.190.177/2048

 DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: InLoopBack0

  Source security zone: Local

Responder:

  Source      IP/port: xxx.xxx.190.177/1

  Destination IP/port: xxx.xxx.197.248/0 //nat outbound is in effect

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet2/0/10

  Source security zone: Trust

State: ICMP_REPLY

Application: ICMP

Rule ID: 4

Rule name: any_93160

Start time: 2022-01-19 00:37:04  TTL: 29986s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

Terminal ping global address:

[L1000-M-2(D045)]ping xxx.7.197.248

Ping xxx.xxx.197.248 (xxx.xxx.197.248): 56 data bytes, press CTRL+C to break

56 bytes from xxx.xxx.197.248: icmp_seq=0 ttl=255 time=0.623 ms

56 bytes from xxx.xxx.197.248: icmp_seq=1 ttl=255 time=0.283 ms

56 bytes from xxx.xxx.197.248: icmp_seq=2 ttl=255 time=0.237 ms

56 bytes from xxx.xxx.197.248: icmp_seq=3 ttl=255 time=0.250 ms

56 bytes from xxx.xxx.197.248: icmp_seq=4 ttl=255 time=0.228 ms

--- Ping statistics for xxx.xxx.197.248 ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.228/0.324/0.623/0.151 ms

[F1030-NEW]display session table ipv4 destination-ip xxx.7.197.248 verbose

Slot 2:

Initiator:

  Source      IP/port: xxx.xxx.190.177/11940

  Destination IP/port: xxx.xxx.197.248/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet2/0/10

  Source security zone: Trust

Responder:

  Source      IP/port: 1.1.1.1/11940 //Nat server destination address changed successfully

  Destination IP/port: xxx.xxx.190.177/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: InLoopBack0

  Source security zone: Local

State: ICMP_REPLY

Application: ICMP

Rule ID: 4

Rule name: any_93160

Start time: 2022-01-19 00:14:55  TTL: 29996s

Initiator->Responder:            5 packets        420 bytes

Responder->Initiator:            5 packets        420 bytes

It can be seen that although an error will be reported when there is a conflict in the configuration address, the test effect will not be affected. 

So when will the exception be triggered? 

 1. Nat outbound establishes the session before nat server. Because nat outbound establishes the session first, nat server will not use this port; 

 2. After nat outbound uses the port, the nat server triggers access when the port is not released; 

 3. If the nat outbound is not released for a long time, the nat server cannot be established for a long time. 

 The triggering conditions for this conflict are actually quite harsh, but once triggered it is difficult to troubleshoot. Therefore, configuration conflicts are not recommended, but they can be used normally in most cases.

Mid- to low-end security products can be used normally if this error occurs, but high-end security products must not conflict with flow table information.

IP address XXX.XXX.197.248 conflicts with the existing nat address group, please exclude it from the address group.