The invention provides an illegal external connection detection method for NAT access equipment, which comprises the following steps of: S1, deploying gateway hardware equipment on a bypass of a core switch, and providing network flow information to the gateway hardware equipment; S2, analyzing flow information in real time; S3, if the chkurl information does not exist, turning to the step S4, otherwise, turning to the step S5; S4, enabling the gateway hardware equipment to use a Set-Cookie value to enter a chkurl key and a chkurl key value; S5, judging whether the chkurl key value is consistent with the request path of the current message or not, if not, turning to step S6, and otherwise, turning to S7; S6, judging whether the time information in the chkurl key value is overtime or not, and if the time information is overtime, turning to the step S4; S7, judging whether the time information in the chkurl key value exceeds a detection period or not, if not, ending, otherwise, continuing to execute the step S8; and S8, inputting the gateway hardware equipment value into a script with an alarm system connection request so as to detect the external connection condition of the equipment, thereby solving the problem that the NAT access equipment cannot effectively and comprehensively carry out illegal external connection detection.