Inter-Zone Packet Filtering Fault on the USG5160 of V100R005

Publication Date:  2014-01-06 Views:  484 Downloads:  0
Issue Description
The USG5160 firewall version is V100R005. Outbound interface 3389 of the firewall with IP address 218.56.33.244 maps interface 3389 of an intranet web server with IP address 10.37.6.131. A PC fails to access interface 3389 of the intranet web server through the public network, but an intranet PC can access interface 3389 of the web server.
Key configurations are as follows:
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
nat server 47 protocol tcp global 218.56.33.244 3389 inside 10.37.6.131 3389
policy interzone trust untrust inbound
policy 0
  action permit
policy service service-set tcp
  policy service service-set udp
policy destination 10.37.6.10
Alarm Information
None
Handling Process
1. Check the session table on the firewall. No corresponding session exists.
2. Check the inter-zone packet filtering policy. The default incoming packet filtering policy from the untrust zone to the trust zone is disabled, and the self-defined policy does not allow packets destined for the intranet web server.
3. To rectify the fault, correctly configure the inter-zone packet filtering policy.
policy interzone trust untrust inbound
policy 0
  action permit
policy service service-set tcp
  policy service service-set udp
policy destination 10.37.6.131
Root Cause
The inter-zone packet filtering configuration is incorrect.
Suggestions
None

END