No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Solution of USG5530 interested IPESC data stream ACL not support denny policy

Publication Date:  2012-09-20 Views:  51 Downloads:  0
Issue Description
Customer said that they can not access in Internet by L2TP which designed by themselves through our USG5530,open pptp in inter-area unsuccessful all the same.
However,did not through our equipment,access 3G network card directly,successful
Alarm Information
none
Handling Process
Because customer said that ipsec must be exist,and this L2TP tunnel which customer want to established is not the ipsec tunnel,so if want to reject 3.3.3.3 by acl(ip of cilnet 12tp access in Internet),but cilnet also can not access in
acl number 3000
description remote-ipsec-vpn-China Mobile
rule 0 deny udp source-port eq 1701 destination 219.153.9.30 0 destination-port eq 1701
rule 5 permit udp source-port eq 1701
rule 10 permit udp destination-port eq 1701
后询问研发才知道,IPSEC感兴趣数据流ACL不支持deny规则,则修改配置如下:
After asked R&D,we know that,ipsec interested data stream acl can not support denny policy,must amend configuration as follows
acl number 3000                               
description remote-ipsec-vpn-China Mobile                                rule 5 permit udp source 113.204.165.5 0 source-port eq 1701
rule 10 permit udp source 113.204.165.6 0 source-port eq 1701
Root Cause
Check configuration we can know,because of configure IPSEC function in firewall public network,12tp message hit the target of rule 10 policy of ACL 3000
Because of configuration is template mode,so firewall unable touch off newly IPSEC tunnel,only can waiting for end ipsec negotiated。When tunnel inexistence,message will be drop. Therefore,In dialog perspective,there is no return message,only go out. Access in Internet unsuccessful
Key configuration
interface GigabitEthernet0/0/1
description to-internet-liantong      
link-group 1
ip address 113.204.165.5 255.255.255.240
ip address 113.204.165.6 255.255.255.240 sub
ipsec policy sansjy2map
acl number 3000
description remote-ipsec-vpn-China Mobile
rule 5 permit udp source-port eq 1701
rule 10 permit udp destination-port eq 1701
ipsec policy-template sansjy2 1
security acl 3000
ike-peer a                            
proposal sansjy
#
ipsec policy sansjy2map 10 isakmp template sansjy2
Dialog information
<FW-USG5500-2>dis firewall session table source inside 192.168.7.25
17:34:40  2011/07/22
Current Total Sessions : 6
  telnet  VPN:public --> public 192.168.7.25:1054-->1.1.1.2:23
  stun-derived  VPN:public --> public 192.168.7.25:1701[1.1.1.2:25333]-->3.3.3.3:1701
  stun  VPN:public --> public 192.168.7.25:768[1.1.1.2:25378]-->3.3.3.3:2048
  stun  VPN:public --> public 192.168.7.25:1053[1.1.1.2:25380]-->3.3.3.3:7001
  stun  VPN:public --> public 192.168.7.25:1052[1.1.1.2:25379]-->3.3.3.3:7001
  stun-derived  VPN:public --> public 192.168.7.25:1056[1.1.1.2:25402]-->3.3.3.3:1723
Suggestions
IPESC interested data stream ACL not support denny policy,try to achieve denny policy by permit  

END