No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

A user who has got IP from SSL VPN gateway can not ping the firewall itself in USG5500

Publication Date:  2014-12-27 Views:  93 Downloads:  0
Issue Description
A customer replied when he got IP from SSL VPN gateway, he can not ping the firewall itself in USG5500.
This is the topology:

After finishing the configuration, the customer can get IP (172.16.251.110)from network extension netpool , but he can’t ping the 172.16.255.254 which is the IP of interface G0/0/8.

The related configuration in USG5500 is as follow:
v-gateway china_gtac ip address 10.159.240.254
service                                                                      
  network-extension enable                                                    
  network-extension netpool 172.16.251.100 172.16.251.200 255.255.255.0       
  network-extension mode manual                                               
  network-extension manual-route 172.16.252.0 255.255.252.0                   
  network-extension manual-route 172.16.251.0 255.255.255.0


Alarm Information
None
Handling Process
(1) We simulated this issue in Lab. We can see that user can get the IP (172.16.251.110) from SSL VPN gateway.

(2) Check the interzone policy, and found there was no limitation between local zone and trust zone.
#                                                                             
firewall packet-filter default permit interzone local trust direction inbound
#
policy interzone local trust inbound                                          
policy 0                                                                     
  action permit                                                               
  policy source address-set lab_permit_ip      //include     172.16.251.0/24                            
#      
            

(3) Try to ping the 172.16.251.253 which is in the trust zone, and it is reachable.

(4) So it seems there should be implement restriction for this scenario. After I confirmed with R&D expert for SSL VPN, I got this conclusion: until the latest version ( V300R001C10SPC500 )of Huawei USG5500, you can’t access firewall itself(besides the SSL VPN gateway), which is implemented for safety. But this will not affect the normal service, so you can access the LAN as expected.
Root Cause
Until the latest version ( V300R001C10SPC500 )of Huawei USG5500, you can’t access firewall itself(besides the SSL VPN gateway), which is implemented for safety. But this will not affect the normal service, so you can access the LAN as expected.
Solution
Until the latest version ( V300R001C10SPC500 )of Huawei USG5500, you can’t access firewall itself(besides the SSL VPN gateway), which is implemented for safety. But this will not affect the normal service, so you can access the LAN as expected.
Suggestions
After you want to test if the service is normal after you finish configure SSL VPN network extension function, don’t try to ping the firewall itself besides the SSL VPN gateway. It is designed not allow you to access firewall itself once you get the SSL VPN network extension IP. But the product documentation doesn’t mention this important information.

END