Traffic is not forwarded through the L2TP over IPSec tunnel when using NAT on USG 5550

Publication Date:  2013-05-30 Views:  215 Downloads:  0
Issue Description
After configuring the NAT and L2TP over IPSec tunnel all traffic to that particular server is tranlsated by the NAT module of the USG and no traffic in transported through the tunnel.
Alarm Information
Null
Handling Process
This can be solved in 2 ways:
1. by using PAT (not the best solution because in many cases all public ports need to be opened to all hosts)
2. by configuring a security ACL that denies the port numbers used by the L2TP over IPSec tunneling protocols .
By using the second method only traffic from  that particular host towards the server will be transported through the tunnel and any other packets will be translated by NAT and routed according to the firewall's local routing table

Configuration of the ACL below:
acl number 3001                                                                
description forl2tpoipsec                                                     
rule 5 deny udp destination-port eq 1701                                      
rule 10 deny udp destination-port eq 500                                      
rule 15 deny udp destination-port eq 4500                                     
rule 20 permit ip   

Other than this acl destination NAT needs to be configured for that specific server in the untrust zone:

[USG5550-zone-untrust]destination-nat 3111 address 192.168.90.254                                                          
Root Cause
This happens because traffic is not separated based on the port numbers.
Suggestions
My suggestion is to use the second method presented although the 1st one could apply to some scenarios.

END