Policy routing caused the same area two LANs hosts can not communicate with each other

Publication Date:  2012-10-15 Views:  245 Downloads:  0
Issue Description

Firewall uses double exports, added G0 / 2, G0 / 3 to trust area, G0 / 3 configure policy routing to achieve distribution. Failure phenomenon: the hosts under the two LANs (192.168.30.253 and 192.168.210.1) can not ping each other, but through the firewall can ping the two hosts, two LANs access to the Internet properly. 
Alarm Information
None
Handling Process
1. Deleted intra-domain NAT, the problem still exists;
2.View the session table, there are the following entries:
[USG3000-acl-adv-3011]dis fire session table destination inside ip 192.168.210.1
DNS:192.168.210.1:53<--192.168.220.60:50944
DNS:192.168.210.1:53<--192.168.220.53:57582
icmp:192.168.30.253:256---192.168.210.1:256
DNS:192.168.210.1:53<--192.168.220.53:62151
That means in the trust area there are two hosts session (session entry is not use arrow, it means is a same area session), taking into account icmp request data to reach the other side, there is no response.
3. View policy routing acl number 3010
rule 1 deny ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
rule 2 deny ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
rule 3 deny ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
rule 4 deny ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
rule 5 permit ip source 192.168.208.0 0.0.0.255
rule 10 permit ip source 192.168.209.0 0.0.0.255
rule 15 permit ip source 192.168.210.9 0
acl number 3011
rule 5 permit ip source 192.168.210.0 0.0.0.255
rule 10 permit ip source 192.168.211.0 0.0.0.255
rule 15 permit ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
rule 20 permit ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
rule 25 permit ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
rule 30 permit ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
#
 
route-policy po_wangtong permit node 5
if-match acl 3010
apply ip-address next-hop 61.163.26.74
route-policy po_wangtong permit node 10
if-match acl 3011
apply ip-address next-hop 218.28.60.162
Marked red section contains the IP address 192.168.210.1, after being hit, the data packet from 192.168.210.1 to 192.168.30.253 will according to policy routing be handed to next hop 218.28.60.162, caused 192.168.30.253 can’t receive icmp reply.
4. Modify the policy routing ACL 3011, after increased rules, ACL 3011 is:
acl number 3011
rule 3 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.210.0 0.0.0.255
rule 4 deny ip source 192.168.210.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 5 permit ip source 192.168.210.0 0.0.0.255
rule 10 permit ip source 192.168.211.0 0.0.0.255
rule 15 permit ip source 192.168.208.0 0.0.0.255 destination 125.40.47.26 0
rule 20 permit ip source 192.168.209.0 0.0.0.255 destination 125.40.47.26 0
rule 25 permit ip source 192.168.208.0 0.0.0.255 destination 192.168.220.0 0.0.0.255
rule 30 permit ip source 192.168.209.0 0.0.0.255 destination 192.168.220.0 0.0.0.255

Debugging the icmp, found that there are packets back and forth. Test on PC, can ping each other.

Root Cause
1. Intra-domain NAT cause problems;
2. Policy routing cause the data did not return by the original way.
Suggestions
None

END