L2tp LNS of firewall doesn’t support application scene of dialing firewall interface with GLOBAL address of Nat Server

Publication Date:  2012-09-13 Views:  400 Downloads:  0
Issue Description
Untrust trust
User of l2tp ------LAC ------ E300 LNS ----- internal network
E300 as LNS-end, the address which l2tp user dialing is the public network after firewall internal network interface through nat server mapping. Tunnel of l2tp constituted successfully, but ping VT interface failed, the configuration of nat server:
  nat server global inside is the address of firewall internal network interface, belongs to trust zone. The address l2tp user dialing is
Alarm Information
Handling Process
1、 packet capturing between firewall and LAC, finding exceptional message.
2、 Analysis reasons combined with l2tp process of firewall.
Root Cause
L2tp LNS function of firewall doesn’t support the application scene that dialing interface of firewall through GLOBAL address of Nat Server, reasons as bellow:
Analysis problem with packet capturing between firewall and LAC. Finding out that the ping message send by client encapsulated to the head of new ip by l2tp, the destination ip is ip address of nat server).

After the ping reply message which firewall replied encapsulated by l2tp, the source ip address is

The problem is obvious after packet capturing, l2tp data message replied by firewall hasn’t transformed to by nat, so, ping VT interface failed.
Annotation: for message encapsulated by l2tp, firewall sends them out directly, without firewall process, without nat address translation. 
Here is two application scene of firewall as LNS-end:
1、 topology(add a EU1000, configure nat server function on EU1000)
user of l2tp ----- LAC ----- EU1000 ----- EU300 LNS
2、 topology(nat server not configured, user of l2tp dialing the interface address of EU300 directly)
user of l2tp ----- LAC ---------- EU300 LNS