Because of the un-correct visit policy the user of the internal network can’t open the webpage.

Publication Date:  2012-09-17 Views:  185 Downloads:  0
Issue Description
The client network connect to the external network by the USG2130, demands that the users of internal network can only visit the external website, can’t visit other operations, but after the configurations that the internal user can only visit the www server, found out that the internal users can’t visit the external website.
Alarm Information
none
Handling Process
1 When visit the www.sina.com, check the session table, found out a lot of http request, no DNS sessions.

2 In the ACL of the package filtering between regions, the policy permit only the WWW, reject all of the other requests.
   acl number 3005
   rule 10 permit tcp source 192.168.0.0 0.0.0.255 destination-port eq www
   rule 500 deny ip source 192.168.0.0 0.0.0.255

3 Chang the ACL rule, permit the DNS visit.
Root Cause
In the ACL of the package filtering between regions, the policy permit only the WWW, not the DNS, result in the unable to resolve the webpage.
Suggestions
In the package filtering, DNS is of the uncared-for, so we should consider some crytic visit conditions.

END