No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

USG National Archive Libraries Agency VC is not working currently after they change IP

Publication Date:  2017-09-06 Views:  445 Downloads:  0
Issue Description

Issue : VC cannot communicate with MCU

1.here is the topo:

the loacl VC is connected to our access switch----> distribution switch---->core switch---->(0/0/0:172.21.64.1)Firewall(1/0/1:10.131.236.20)----(ethio telecom's ADSL through wordanet)-----national data center's MCU

2.Change IP address of ADSL interface 1/0/1

They added below configuration:

#
 interface Ethernet1/0/1
 ip address 10.131.236.20 255.255.255.0
 #
 ip route-static 172.30.40.0 255.255.255.0 Ethernet1/0/1 10.131.236.18
 #

Handling Process

from the device configuration information, we can found that the interface 1/0/1 is belong to untrust zone and interface 0/0/0 is belong to trust zone.

and we can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall,but cannot ping from 172.21.66.10 to 172.30.40.11

and we found that there is not permited from trust zone to untrust zone, so we permit the security policy from trust zone to untrust zone.

 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound

but the sevice was still not working.

then we did the traffic statistics,found that the traffic is sent out but not back when ping from 172.21.66.10 to 172.30.40.11.

 

but as said before, we can ping MCU address 172.30.40.11 from firewall, so we think there is some limit that just permit peer address visit MCU on ethio telecom's ADSL link or there is no back routing on ethio telecom's ADSL link.

Solution

due to can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall, so we can do NAT, make the VC address 172.21.66.10 is NAT to 10.131.236.20 to visit MCU

nat address-group 6 10.131.236.20 10.131.236.20
#
nat-policy interzone trust untrust outbound
 policy 0
 action source-nat
 policy source 172.21.66.10 mask 32
 address-group 6

END