Troubleshooting Policy Routing and NAT Redirection Issue on AR2240 Interface GE0/0/0

The AR2240 internal interface GE0/0/0 was configured with a policy route that caused internal user HostA to be unable to access an internal server via the public address 112.64.180.10; removing the policy route restored connectivity.

Alarm information : HostA could not ping the server's public IP address.

Processing steps :

Step 1 – Display current configuration and examine the policy routing settings. The configuration showed that traffic from the internal network to the public address 112.64.180.10 was exempted from redirection:

acl number 2000
rule 10 permit source 192.168.0.0 0.0.0.255
acl number 2999
rule 5 permit
acl number 3001
rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 112.64.180.10 0
traffic classifier vlan11 operator or
if-match acl 3001
traffic classifier vlan10 operator or
if-match acl 2000
traffic behavior vlan11
traffic behavior vlan10
redirect ip-nexthop 112.64.180.9
traffic policy vlan10
classifier vlan11 behavior vlan11
classifier vlan10 behavior vlan10
Interface GigabitEthernet0/0/0
ip address 172.16.100.1 255.255.255.0
traffic-policy vlan10 inbound
nat server protocol tcp global interface GigabitEthernet0/0/2 www inside 192.168.0.140 www
interface GigabitEthernet0/0/2
description LianTong
ip address 112.64.180.10 255.255.255.252
nat server protocol tcp global current-interface www inside 192.168.0.140 www
nat outbound 2999

Step 2 – Trace the ping process from HostA to the server:

First stage (client → server): Source                             Destination 192.168.1.100                       112.64.180.10 192.168.1.100                       192.168.0.140  // NAT translation 172.16.100.1  // NAT translation    192.168.0.140

Second stage (server → client): Source                             Destination 192.168.0.140                        172.16.100.1  // No matching ACL 3001, redirected 192.168.0.140                        192.168.1.100  // NAT translation 112.64.180.10  // NAT translation  192.168.1.100

Root cause : During the second stage, the server’s response to the client did not match ACL 3001, causing the traffic to be redirected incorrectly.

Solution : Add a rule to ACL 3001 to exempt traffic from the internal network to the public address 172.16.100.1, preventing redirection:

acl number 3001
rule 11 permit ip source 192.168.0.0 0.0.255.255 destination 112.64.180.10 0
rule 12 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.100.1 0  // added rule for internal‑to‑public traffic

After applying the new configuration, the issue was resolved and HostA could successfully ping the server via the public IP.