Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
The customer uses USG5100 as the network gateway, when he uses pptp vpn client to access vpn server which in the internet, he can see the client request logs in the server, but can't connect to server successfully.
Anaylzed the diagnoses information, check as following steps:
(1) Check network connectivity, the test result is that from vpn client ping vpn server is reachable, but from vpn server can't reach firewall public interface. After check the firewall configuration, can't reach firewall public interface is because firewall packet-filter is deny. this doesn't affect the pptp vpn service. The configuration as following:
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound //There isn’t local untrust direction inbound permit configuration
(2) After above analyzed and tested, the network connectivity is normal. Let's go ahead to check the pptp configuration of firewall. I find that "detect pptp" have been configured between the trust zone and untrust zone. Farther more I find source NAT function is configured under public interface by using command "nat enable", at this circs, the command "detect pptp" need to be configured under the public interface. But there isn't this command in the current firewall configuration. As following:
firewall interzone trust untrust
detect ftp detect pptp //detect pptp was configured between zones
ip address x.y.23.134 255.255.255.192
vrrp vrid 1 virtual-ip 184.108.40.206 master
detect ftp //But isn't configuration under the interface
According to the issue information, the likely reasons as following:
（1） Maybe neteork isn't reachable, or reachable in single direction;
（2） Firewall drops packets due to pptp configuration incorrect;
Because of source NAT is configured under interface, the command "detect pptp" need to be configured under the interface,at this time, the "detect pptp" between zones is invalid.
When "nat enable" is configured under interface,for pptp vpn,need to configure "detcet pptp" under the interface yet.