SSL VPN can obtain the IP Address by network extender function but can’t ping the internal network IP

Publication Date:  2012-09-13 Views:  304 Downloads:  0
Issue Description
Configure the SSL VPN at USG2230 and open the network extender function. The user external can obtain the addresses but can’t ping the address internal succeeded. PC internal connects to the firewall directly.
Alarm Information
none
Handling Process
1 Check the configuration of  packet filtering and SSL VPN , no errors

2 Check the session which arrive at the network internal:

[USG2230]disp firewall session table v destination inside 192.168.3.8
23:43:37 2011/08/14
Current total sessions: 1
icmp VPN: public -> public
Zone: trust -> trust TTL: 00:00:20 Left: 00:00:13
Interface: GigabitEthernet0/0/0 Nexthop: 192.168.10.1 MAC: 00-25-9e-d4-b7-4c
<-- packets:4 bytes:240 --> packets:4 bytes:240
192.168.254.104:768[7.7.7.7:38342]-->192.168.3.8:768

The IP Address 192.168.254.104 which was obtained by the network extender of external user, was changed to 7.7.7.7 by NAT when the user visit the destination PC. The trust area is configured the interzone NAT. the ACL for the interzone NAT contains the network segment which was distributed by the network expand.

3 Change the ACL imported in Interzone NAT, reject the Interzone NAT of the network segment which was distributed by the network expand. External network can visit the internal PC by SSL VPN normally.
Root Cause
1 packet filtering result in the unable visit
2 PC internal didn’t configure the gateway
3 others
Suggestions
Assigned ip address pool of network extender of SSL VPN belong to Trust Area and the IP Address obtained can’t ping the physical address of the internal network interface.

END