No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

SSL VPN client can't access internal

Publication Date:  2017-11-29 Views:  420 Downloads:  0
Issue Description

SSL VPN client can't access internal, the client block by USG as attacker.

Alarm Information

Nov 27 2017 16:55:57+08:00 WGN_FW1%%01ATK/4/FIREWALLATCK(l)[0]:AttackType="IP spoof attack", slot="y",cpu="0", receive interface="GE1/0/x ", proto="UDP", src="172.x.x.53:54065 ", dst="y.y.y.y:53 ", begin time="2017-11-27 16:55:30", end time="2017-11-27 16:55:54", total packets="10", max speed="0", User="", Action="discard".

Handling Process

1. I checked the configuration, you configured SSLVPN client ip address as 172.x.x.51-172.x.x.100, and the LAN ip segment is 172.x.x.0/24. Actually the SSLVPN traffic come from G1/0/x (untrust), the LAN ip segment is in G1/0/y(trust). When you configure “firewall defend ip-spoofing enable”, the firewall will check the source route and define SSLVPN traffic as ip-spoofing, then drop the packets.
#
firewall defend ip-spoofing enable
#
service
  network-extension netpool 172.x.x.51 172.x.x.100 255.255.255.0
#
interface GigabitEthernet1/0/y
  ip address 172.x.x.251 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet1/0/y
#
firewall zone untrust
 add interface GigabitEthernet1/0/x
#
2. Checked the logs, the SSL VPN clients' traffic are detected by ip-spoofing, and blocked as attacker.
  Nov 27 2017 16:55:57+08:00 WGN_FW1%%01ATK/4/FIREWALLATCK(l)[0]:AttackType="IP spoof attack", slot="y",cpu="0", receive interface="GE1/0/x ", proto="UDP", src="172.x.x.53:54065 ", dst="y.y.y.y:53 ", begin time="2017-11-27 16:55:30", end time="2017-11-27 16:55:54", total packets="10", max speed="0", User="", Action="discard".

Root Cause

Configured “firewall defend ip-spoofing enable”, but the SSLVPN clients’ ip address are same as LAN ip segment.

Solution

There are two scenarios as below.
Scenario 1, run command “undo firewall defend ip-spoofing enable”.
Scenario 2, configure another different ip segment for SSLVPN client, and configure route from internal to SSLVPN client.

END