Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
Issue : VC cannot communicate with MCU
1.here is the topo:
the loacl VC is connected to our access switch----> distribution switch---->core switch---->(0/0/0:172.21.64.1)Firewall(1/0/1:10.131.236.20)----(ethio telecom's ADSL through wordanet)-----national data center's MCU
2.Change IP address of ADSL interface 1/0/1
They added below configuration:
ip address 10.131.236.20 255.255.255.0
ip route-static 172.30.40.0 255.255.255.0 Ethernet1/0/1 10.131.236.18
from the device configuration information, we can found that the interface 1/0/1 is belong to untrust zone and interface 0/0/0 is belong to trust zone.
and we can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall,but cannot ping from 172.21.66.10 to 172.30.40.11
and we found that there is not permited from trust zone to untrust zone, so we permit the security policy from trust zone to untrust zone.
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
but the sevice was still not working.
then we did the traffic statistics,found that the traffic is sent out but not back when ping from 172.21.66.10 to 172.30.40.11.
but as said before, we can ping MCU address 172.30.40.11 from firewall, so we think there is some limit that just permit peer address visit MCU on ethio telecom's ADSL link or there is no back routing on ethio telecom's ADSL link.
due to can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall, so we can do NAT, make the VC address 172.21.66.10 is NAT to 10.131.236.20 to visit MCU
nat address-group 6 10.131.236.20 10.131.236.20
nat-policy interzone trust untrust outbound
policy source 172.21.66.10 mask 32