No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ- Can user who gets IP from SSL VPN gateway network extension access the firewall itself in USG5500?

Publication Date:  2014-12-31 Views:  117 Downloads:  0
Issue Description
A user can get IP from SSL VPN network extension, but he can’t ping the loopback interface and the physical interface besides the interface used for SSL VPN gateway.
This is the topology:
 
There is no policy restriction configured from other zone to local zone. For example, when the user get IP 172.16.251.110 from SSL VPN network extension, he can’t ping the physical interface with IP 1721.6.251.254 and the loopback interface with IP 172.16.20.1.

But he can ping the device (172.16.251.253) which is in LAN.

The related configuration for SSL VPN:
service                                                                       
  network-extension enable                                                     
  network-extension netpool 172.16.251.100 172.16.251.200 255.255.255.0        
  network-extension mode manual                                                
  network-extension manual-route 172.16.252.0 255.255.252.0                    
  network-extension manual-route 172.16.251.0 255.255.255.0                    
  network-extension manual-route 172.16.120.1 255.255.255.255  
 
Solution
In USG series firewall, it is designed not to allow the end user who gets IP from SSL VPN network extension IP pool to access the firewall itself. This is designed for safety.
And the difference between USG series firewall and NGFW series firewall is that USG deny all the IP in network extension IP pool to access firewall itself, and NGFW deny all the IP that has been assigned, not all of the IP in network extension IP pool.
Therefore, when you do some test to check the route reachable between end user who get IP from SSL VPN network extension IP Pool and the LAN, don't try to ping firewall itself.

END