ACL Rules are Configured Incorrectly, so the P2P Traffic Control does not Take Effect on the USG2130

Publication Date:  2012-07-24 Views:  242 Downloads:  0
Issue Description
A customer in an office uses the USG2130 to configure the P2P traffic control function for intranet PCs. However, the function does not take effect.
Network: PC----USG2130---internet
The PC is in the Trust zone, and the Internet is in the Untrust zone.
Alarm Information
None
Handling Process
1. Check the version of the USG2130. It is V100R003C01SPC007, the latest version, and supports the P2P traffic control function.
2. Check the customer's P2P pattern file. It is the latest version, 1.2.2.4B.
3. Check the basic configurations of the P2P traffic control. It is normal.
4. Check the ACL corresponding to the P2P traffic control. Only one ACL matches the uplink and downlink configured by the customer. A rule as shown in the following is defined for source and destination IP addresses as follows:
 rule 0 permit ip source 192.168.1.0 0.0.0.255
The configuration of the P2P traffic control in the interzone is as follows:
p2p-car 3030 class 0 outbound
p2p-car 3030 class 0 inbound
Problem existing in the preceding configuration is as follows: In the P2P traffic control, inbound and outbound indicate upstream and downstream traffic respectively. The source IP address cannot be transferred to the destination IP address according to the traffic direction. Therefore, another outbound ACL should be added to specify the destination IP address as 192.168.1.0 0.0.0.255.
The modified configuration is as follows:
ACL 3030
 rule 0 permit ip source 192.168.1.0 0.0.0.255
ACL 3040
rule 0 permit ip destination 192.168.1.0 0.0.0.255


The configuration of the P2P traffic control in the interzone is as follows:
 p2p-car 3030 class 0 outbound
  p2p-car 3040 class 0 inbound
Root Cause
Possible causes are as follows:
1. The firewall is of such a lower version that does not support the P2P function.
2. The P2P pattern file is not updated to the latest version.
3. The application protocol whose traffic need to be controlled is not specified when P2P is configured.
4. ACL rules are incorrectly configured.
Suggestions
The differences between inbound and outbound in P2P traffic control and those in the interzone packet filtering should be understood.

END