USG5500 extranet has double-link, but can only through 221.2.141.198 address to access the intranet Server.

Publication Date:  2012-10-26 Views:  535 Downloads:  0
Issue Description
Telecom------
            USG5500-----intranet Server
Netcom------

Customers feedback that USG5500 extranet has double-link, but can only through 221.2.141.198 address to access the intranet Server.
the configuration is as follows:

[USG5500]  dis ip in b
15:42:24  2012/02/04
*down: administratively down
(s): spoofing
Interface                   IP Address      Physical Protocol Description
GigabitEthernet0/0/0        192.168.0.1     down     down     Huawei, USG5500
GigabitEthernet0/0/1        202.110.217.68  up       up       Huawei, USG5500
GigabitEthernet0/0/2        221.2.141.198   up       up       Huawei, USG5500
GigabitEthernet0/0/3        191.100.1.1     up       up       Huawei, USG5500
GigabitEthernet0/0/4        191.100.6.1     up       up       Huawei, USG5500
[USG5500]dis cu
15:43:23  2012/02/04
#
sysname USG5500

#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local isp direction inbound
firewall packet-filter default permit interzone local isp direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone trust isp direction inbound
firewall packet-filter default permit interzone trust isp direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
firewall packet-filter default permit interzone isp untrust direction inbound
firewall packet-filter default permit interzone isp untrust direction outbound
firewall packet-filter default permit interzone dmz isp direction inbound
firewall packet-filter default permit interzone dmz isp direction outbound
#
nat address-group 1 202.110.217.68 202.110.217.68
nat address-group 2 221.2.141.198 221.2.141.198
nat server 0 protocol tcp global 202.110.217.68 443 inside 191.100.6.2 443
nat server 1 protocol tcp global 221.2.141.198 www inside 191.100.8.253 www
nat server 2 protocol tcp global 221.2.141.198 8065 inside 191.100.8.253 8065
nat server 3 protocol udp global 221.2.141.198 8065 inside 191.100.8.253 8065
nat server 4 protocol tcp global 202.110.217.67 www inside 10.112.193.65 www
#
firewall ipv6 session link-state check
#
firewall session link-state check
#
firewall defend smurf enable
firewall defend ip-spoofing enable
firewall defend arp-spoofing enable
firewall defend sip-flood enable
firewall source-ip detect interface GigabitEthernet0/0/1
firewall source-ip detect interface GigabitEthernet0/0/2
firewall defend arp-flood interface GigabitEthernet0/0/3 max-rate 1000
#                                       


interface GigabitEthernet0/0/0
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 202.110.217.68 255.255.255.248
#
interface GigabitEthernet0/0/2
ip address 221.2.141.198 255.255.255.240
#
interface GigabitEthernet0/0/3
ip address 191.100.1.1 255.255.255.240
#
interface GigabitEthernet0/0/4
ip address 191.100.6.1 255.255.255.252
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/3
add interface GigabitEthernet0/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
firewall zone dmz                       
set priority 50
#
firewall zone name isp
set priority 20
add interface GigabitEthernet0/0/1

ip route-static 0.0.0.0 0.0.0.0 221.2.141.193
ip route-static 0.0.0.0 0.0.0.0 202.110.217.65
ip route-static 10.112.0.0 255.255.0.0 191.100.1.2
ip route-static 191.100.8.0 255.255.255.0 191.100.1.2
ip route-static 192.168.1.0 255.255.255.0 191.100.1.2

Alarm Information
none
Handling Process
Close IP - spoofing or through the PBR to ensure the import and export is the same.
Root Cause
From the above configuration to see, the customers write two default routing. Firstly suspect the two default route, the session maybe enter from a interface, but exit from another interface, because the come-and-go path opened by ascending device is inconsistent lead to the message discarded after check routing, but we test that:
In the public network to find a device ping usg5500 but unable to access interface address
[USG2100]ping -c 100 202.110.217.68
                                        
[USG5500-hidecmd]dis firewall session table verbose_hide both-direction destination global 202.110.217.68
10:30:55  2012/02/04
Current Total Sessions : 0
check the session in USG5500S, and there is no session information, is not the previous interface problem. The reason of ascending device open strictly routing inspection discarded, from phenomenon to see should be message do not reach firewall, or directly be l discarded firewall.
Carefully check the configuration and find the attack defense is open
firewall defend ip-spoofing enable
ip-spoofing theory
To message source IP address to make FIB table backward-learning, if backward-learning the export of IP address is different to the import of the message, is regarded as IP cheat attack, and deal with it. When configure detailed routing, come-and-go routing are all Netcom network, there is no problem, but no detailed routing, according to FIB table will find the export is Telecom, then predicate it is attack message, and do not process.
Suggestions
In the double export networking, if can't ensure enter from the import all the time, suggest do not open firewall defend IP - spoofing enable.

END