beautypg.com

Firewall – Allied Telesis AR400 Series Router User Manual

Page 46

background image

46

AR400 Series Router User Guide

Software Release 2.6.1
C613-02021-00 REV D

Problem

Incoming traffic is sent to the wrong host.

Solution

If you are using a static Standard NAT, this problem may indicate that NAT is
mapping to a valid IP address, but which belongs to the wrong host. To correct
the IP address, select Configuration > Firewall > NAT.

Problem

Only one device on the LAN or DMZ can access the Internet.

Solution

If you are using a static Standard NAT, only one device from the LAN will
be able to access the Internet. If you wish to have more than one device
access the Internet, use Enhanced NAT instead (Configuration > Firewall >
NAT).

It is also possible that no other device has been configured with the correct
gateway.

Firewall

Diagnosis

To see information about the traffic that the firewall has denied, use the CLI
command SHOW FIREWALL EVENT=DENY
To see information about the traffic that the firewall has allowed, use the CLI
command SHOW FIREWALL EVENT=ALLOW

Problem

Legitimate traffic is not reaching your LAN or DMZ.

Solutions

Check that a rule exists to allow the traffic (Firewall > Configuration >
Traffic Rules)

Activating a DMZ does not provide access to servers on it. Rules must be
created for each server on the DMZ. Likewise, by default there is no access
to any devices on the private LAN.

If the rule exists, it may be incorrect or insufficient. Check that:

Rules intended to allow traffic have an action of “Allow”.

The firewall is processing the rules in the order you expected, and that
specific rules (e.g. allow IP address x access to FTP on the server) have
lower numbers than general rules (e.g. deny all FTP access).

The ports, services and protocols are correct.

The IP addresses the rules apply to are entered correctly, and belong to
the specified devices.

The rules apply to the correct days and time.

Check the NAT configuration. See “Traffic Flow and Network Address
Translation (NAT)” on page 45.

Problem

Illegitimate traffic is reaching your LAN or DMZ.

Solutions

The most likely cause of this problem is an incorrect rule. Check that:

“Allow” rules are tight enough that only the intended traffic types are
allowed through.

The firewall is processing the rules in the order you expected, and that
specific rules (e.g. deny IP address x access to FTP on the server) have
lower numbers than general rules (e.g. allow all FTP access).

Rules intended to block traffic have an action of “Deny”.

The ports, services and protocols are correct.

See also other documents in the category Allied Telesis Computer hardware: