No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Removable computer access in L2TP can not ping intranetserver

Publication Date:  2012-09-22 Views:  59 Downloads:  0
Issue Description
After L2TP Client pc accessed it was not ping intranet WEB server,10.1.1.0/24 is address segment for client
Topology is like this
Alarm Information
none
Handling Process
Changed ACL applied in policy-based routing,stream of denny can reach target network segment 10.1.1.0/24,changed ACL configuration as follows
#
acl number 3000
rule 1 deny ip destination 113.108.195.0 0.0.0.255
rule 2 deny ip destination 192.168.0.254 0
rule 3 deny ip destination 10.1.1.0 0.0.0.255
rule 5 permit ip source address-set celveluyou
#
Root Cause
Removable computer access in L2TP,means USG 2100 is no problems in configuration,but check tunnel information of L2TP,found that this pc is already existing in tunnel list
[USG2100]dis l2tp tunnel
11:58:53 2012/05/24
Total tunnel = 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 112.96.96.37 1701 1 client1

In L2TP Client PC,we can not ping WEB server,on the contrary,we ping test in the firewall,check information of firewall,found firewall is turn to public network address,as this:  
[USG2100]dis firewall session table source inside 192.168.0.73 protocol icmp
11:55:06 2012/05/24
Current Total Sessions : 1
icmp VPN:public --> public 192.168.0.73:512[14.147.86.58:2056]-->10.1.1.1:2048

After check configuration,firewall set policy-based routing,point a majority of source addresses of celveluyou go out from dialer1,including WEB server,all of public address will be converted,result in can not ping,configuration as follows
#
ip address-set celveluyou type object
address 0 range 192.168.0.16 192.168.0.122
address 1 range 192.168.0.126 192.168.0.199
address 2 range 192.168.0.221 192.168.0.253
#
acl number 3000
rule 1 deny ip destination 113.108.195.0 0.0.0.255
rule 2 deny ip destination 192.168.0.254 0
rule 5 permit ip source address-set celveluyou
#
interface Vlanif1
mtu 1400
ip address 192.168.0.254 255.255.255.0
ip policy-based-route abc
dhcp select interface
dhcp server dns-list 202.96.128.166 202.96.134.133
#
policy-based-route abc permit node 30
if-match acl 3000
apply output-interface Dialer1
Suggestions
none

END