No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IPSec Service Access Failure Due to Incorrectly Configured NAT Policies

Publication Date:  2013-10-08 Views:  45 Downloads:  0
Issue Description

Networking: PC (Intranet) ---------- third-party firewall ------- Internet ------- E1000E-X3---------SSL-VPN server 

An IPSec tunnel was set up between the third-party firewall and Huawei firewall E1000E-X3.

The nat-policy interzone trust untrust outbound was applied so that hosts could access the Internet. No-NAT was applied to communication between private network addresses.

An intranet PC could telnet the SSL-VPN server but the SSL-VPN failed to telnet the intranet PC.

After the SSL-VPN server tried to telnet an Intranet PC, engineers ran dis firewall session table destination inside 10.****** to query session information and corresponding session information was displayed.

Tracert tests succeeded from the SSL-VPN server and the public address of the uplink interface on E1000E-X3.

On E1000E-X3, pinging the intranet PC using the SSL-VPN server address as the source address succeeded.

According to the tracert results, the second and third hops were numbered xxx, and the fourth hop was the destination address.
Handling Process

Huawei performed the following operations to address the problem:

1. Found that the E1000E did not bar the remote access packets and sessions could be set up properly.

2. Checked the IPSec information and found that VPN channels were set up properly.

3. Found that tracert succeeded to the public address.

4. Checked outbound NAT policy configurations.

nat-policy interzone trust untrust outbound
policy 6
action source-nat
policy source 10.************
address-group 1
policy 1
action no-nat
policy source 10.*************
policy destination 10.**********

Policy 1 (action no-nat) was configured after policy 6. Therefore, the equipment executed policy 6 first and then policy 1. As a result, policy 1 failed to take effect and the outbound packets were also subject to NAT processing and accessing the intranet PC access failed.
Root Cause
The NAT policies were configured in an incorrect order.
Solution

Configure policy 1 and then policy 6.

nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 10.*************
policy destination 10.**********
policy 6
action source-nat
policy source 10.************
address-group 1
Suggestions
Ensure that NAT policies are configured in a correct order.

END