Routing configuration cause firewall cut over unsuccessful

Publication Date:  2012-10-11 Views:  416 Downloads:  0
Issue Description
The business flow before cut over is: the user of S2300 dials to MA5200F, then the MA5200 on the public network launch authentication to RADIUS server. If the authentication pass through, the MA5200F distributes the private network IP address of address pool to the client. After acquired IP address and do NAT on NE08, the users can access to the public network.
Cut over requirement: add USG5000 between MA5200 and NE08, use it as access control, at the same time, move the NAT function of NE08 on USG5000.
After the cut over, the user can't get IP address and can’t access the internet normally, MA5200 can’t establish normal connection with the RADIUS server on public network, the users doubt that the USG5000 has lost the interaction message of MA5200 and RADIUS server, resulting in users authentication is not successful, so that can’t access the internet IP address.
Alarm Information
None.
Handling Process
1,Add the static routing to the MA5200’s interface in the NE08, it is the static routing to 220.195.167.22/30.
2, Add the static routing to the USG5000 NAT address pool in the NE08, it is the static routing to 220.195.241.3-220.195.241.62.
3, remove the static routing to192.168.0.0 segment.
Root Cause
 On the whole, between MA5200 and NE08, added USG5000, increased the 220.195.167.17/30 network segment.
1, contrast the MA5200 configuration before and after the cut over, there isn’t any changes;
2, check the USG5000 configuration, found the configuration on the USG5000 is simple, just moved the NATPOOL of NE08 to fire wall, did NAT in the TRUST-UNTRUST domain, and at the same time the default packet filtering of USG5000 domain all have been opened, basic ruled out the possibility of packet loss. The corresponding routings are correct.
3, check the NE08 configuration, in addition to get rid of NAT function, routing changes are as follows:
Before cut over:
IP route - static 192.168.0.0 255.255.252.0 220.195.167.22
After cut over:
IP route - static 192.168.0.0 255.255.252.0 220.195.167.18
From the routing we can find the following problems:
(1) In MA5200 and between NE08 new USG5000, when MA5200 send the authentication information to RADIUS server, there is no return route in NE08; 
(2) After the client dial-up successful, the users visit the public network, because the firewall interface IP (220.195.167.18/32) and NAT address pool IP (220.195.241.3-220.195.241.62)are not in the same segment, need to configure the static routing to USG5000’s address pool in the NE08, there is no return route in NE08;
(3) As the user has do NAT on USG5000, the 192.168.0.0 segment is not visible to users, this article static routing to 192.168.0.0 is redundant and can be removed.
Suggestions
1, when the IP of NAT address pool and the outbound interface are not the same network segment, should pay attention to add the routing to NAT address pool.
2, in the network, when add firewall by routing model, we must pay special attention to the adjustment of the routing.

END