FAQ-Do the VT Interface IP Address Have to Belong to the Same Network Segment as IP Addresses in the Pool When the Firewall Serves as the LNS

Publication Date:  2015-07-02 Views:  236 Downloads:  0
Issue Description
Do the VT Interface IP Address Have to Belong to the Same Network Segment as IP Addresses in the Pool When the Firewall Serves as the LNS?
Solution
No. If the IP address of the VT interface does not belong to the same network segment as any address in the address pool and a default route is configured for the firewall, a loop occurs until the TTL is 0. That is, when a VPN user logs out and another user attacks or access the VPN user, the firewall sends the attack or access packet to the upstream device using the default route (lacking the route to the user). Then the upstream device searches for the route and sends the packet to the firewall. If the IP address of the VT interface belongs to the same network segment as addresses in the address pool, the firewall has a route destined for the network segment to which the IP address of the VT interface belongs, although the user already logs out. The firewall discards received access or attack packets. Therefore, ensure that a VT interface IP address belong to the same network segment as IP addresses in the address pool.

END