No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Dual-egress Link of the USG2200 Makes Incoming and Outgoing Paths Consistent

Publication Date:  2012-07-25 Views:  2 Downloads:  0
Issue Description
The user uses the USG2200 to connect to China Telecom and Netcom egress links. The intranet uses the net server to release an application server, through which the extranet can access the intranet server.
The two egress links are as follows:
Netcom IP address: 5.5.5.5
Telecommunications IP address: 6.6.6.6
The application server uses two network adapters to connect to the USG2200:
IP address of network adapter 1: 192.168.1.1
IP address of network adapter 2: 192.168.2.1
Alarm Information
None.
Handling Process
Commands are as follows:
[Eudemon]firewall  packet-filter  default  permit interzone trust untrust
[Eudemon]firewall zone trust
[USG3000-zone-trust]add inter Ethernet 0/0/0
[USG3000-zone-trust]add inter Ethernet 0/0/1
[Eudemon]inter Ethernet0/0/0
[Eudemon-Ethernet0/0/0]ip add 192.168.1.1 255.255.255.0
[Eudemon-Ethernet0/0/0]ip policy route-policy dianxin
[Eudemon-Ethernet0/0/0]quit

[Eudemon]inter Ethernet0/0/1
[Eudemon-Ethernet0/0/1]ip add 192.168.2.1 255.255.255.0
 
[Eudemon-Ethernet0/0/1]ip policy route-policy wangtong
[Eudemon-Ethernet0/0/1]quit

[Eudemon]acl 2000
[Eudemon-acl-basic-2000]rule  permit source 192.168.1.0 0.0.0.255
[Eudemon-acl-basic-2000]rule permit any
[Eudemon-acl-basic-2000]quit
[Eudemon]acl 2001
[Eudemon-acl-basic-2001]rule  permit tcp source 192.168.2.0 0.0.0.255 
[Eudemon-acl-basic-2001]rule ip permit  any
 
[Eudemon-acl-basic-2000]quit
[Eudemon]nat server  global  5.5.5.5 inside  192.168.1.1    //The data flow accessing 192.168.1.1 goes through 5.5.5.5.
[Eudemon]nat server  global  6.6.6.6  inside  192.168.2.1  //The data flow accessing 192.168.2.1 goes through 6.6.6.6.

[Eudemon]route-policy   dianxin permit node  1
[Eudemon-route-policy-dianxin-1]if-match  acl 2000
[Eudemon-route-policy-dianxin-1]apply output-interface Ethernet  0/0/0   //The data matching ACL 2000 goes through Ethernet0/0/0.

[Eudemon-route-policy-dianxin-1]quit
 
[Eudemon]route-policy  wangtong  permit node  2
[Eudemon-route-policy-wangtong-2]if-match  acl 2001
[Eudemon-route-policy-wangtong-2]apply output-interface Ethernet  0/0/1 //The data matching ACL 2000 goes through Ethernet0/0/1.
[Eudemon-route-policy-wangtong-2]quit
Root Cause

The customer requires that after the Untrust zone accesses the internal server through China Telecom and Netcom, the returned data flow comes in and goes out from the same interface.
For example, for the data flow that accesses the server through the Netcom interface, the traffic of its reply packet goes out through the Netcom interface.
Requirement: The data flow that comes in through the Netcom interface goes out through the Netcom interface, and the data flow that comes in through the Telecommunications interface goes out through the Telecommunications interface.

 

Suggestions

 

The server needs to have two network adapters for setting the directions of data flows. Two network adapters must be configured on the server.
In NAT server+policy-based route mode, data flows go out through specified interfaces in pre-defined mode.

END