Configure the SSL VPN at USG2230 and open the network extender function. The user external can obtain the addresses but can’t ping the address internal succeeded. PC internal connects to the firewall directly.
1 Check the configuration of packet filtering and SSL VPN , no errors
2 Check the session which arrive at the network internal:
[USG2230]disp firewall session table v destination inside 192.168.3.8
Current total sessions: 1
icmp VPN: public -> public
Zone: trust -> trust TTL: 00:00:20 Left: 00:00:13
Interface: GigabitEthernet0/0/0 Nexthop: 192.168.10.1 MAC: 00-25-9e-d4-b7-4c
<-- packets:4 bytes:240 --> packets:4 bytes:240
The IP Address 192.168.254.104 which was obtained by the network extender of external user, was changed to 126.96.36.199 by NAT when the user visit the destination PC. The trust area is configured the interzone NAT. the ACL for the interzone NAT contains the network segment which was distributed by the network expand.
3 Change the ACL imported in Interzone NAT, reject the Interzone NAT of the network segment which was distributed by the network expand. External network can visit the internal PC by SSL VPN normally.
1 packet filtering result in the unable visit
2 PC internal didn’t configure the gateway
Assigned ip address pool of network extender of SSL VPN belong to Trust Area and the IP Address obtained can’t ping the physical address of the internal network interface.