No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

One IP fail to communicate with LAN on other side of IPSec tunnel.

Publication Date:  2017-01-30 Views:  369 Downloads:  0
Issue Description
IPsec tunnel has been established between 192.168.0.0 /24 and 192.168.1.0 /24. At the edge of 192.168.1.0 /24 there is a USG6370. IP 192.168.1.60 cannot ping any of the IP’s in 192.168.0.0 /24.
Alarm Information

<USG6300>display firewall session table verbose source inside 192.168.1.60

Current Total Sessions : 2 
Output-interface: GigabitEthernet1/0/0 NextHop: xxx.xxx.xxx.xxx  MAC: xx-xx-xx-xx-xx-xx 
<--packets:0 bytes:0  -->packets:2 bytes:370 
192.168.1.60:57821[xxx.xxx.xxx.xxx:57821]-->192.168.0.2:389 PolicyName: nat_outboun

 
Output-interface: GigabitEthernet1/0/0 NextHop: xxx.xxx.xxx.xxx  MAC: xx-xx-xx-xx-xx-xx

<--packets:0 bytes:0  -->packets:161 bytes:9660

192.168.1.60:1[xxx.xxx.xxx.xxx:1]-->192.168.0.2:2048 PolicyName: nat_outboun



Handling Process

Since only 192.168.1.60 IP has this issue I verified what other functions that involves this IP are configured on the Firewall. In the configuration I noticed that there are Server mappinging created.

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  443 inside 192.168.40.60 443

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  smtp inside 192.168.40.60 smtp

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  143 inside 192.168.40.60 143

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  103 inside 192.168.40.60 103


These nat servers was configured in order for customer to access the device (mail server) from the Internet. When the mapping is created
the system also generates a reverse entry.





Root Cause
The reverse entry created by nat server command makes the source IP of the mail server to be changed to Public IP instead of remaining the same. This blocks the traffic to reach other side of the Tunnel.
Solution

Configure “no-reverse” parameter at each of the nat rule. This disables the system from creating a reverse entry. If this parameter is not specified, both a server-map entry and its reverse entry are created.

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  443 inside 192.168.40.60 443 no-reverse

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  smtp inside 192.168.40.60 smtp no-reverse

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  143 inside 192.168.40.60 143 no-reverse

nat server server_xx zone yy protocol tcp global xxx.xxx.xxx.xxx  103 inside 192.168.40.60 103 no-reverse

END