PCs on Different VLANs Could Not Manage the Firewall Because Packets Passed Through the Firewall Twice

Publication Date:  2015-07-02 Views:  206 Downloads:  0
Issue Description


PC1, PC2, and PC3 belonged to different VLANs. None of the PCs could manage the USG. 
Handling Process
1. Create VLAN 11 for managing the firewall. 

interface Vlanif11  ip address 3.3.3.2 255.255.255.0

2. Create a virtual firewall and assign VLAN 11 to the virtual firewall.

vlan 11  binding vpn-instance vfw1

3. Configure the gateway of the virtual firewall.

ip route-static vpn-instance vfw1 0.0.0.0 0.0.0.0 3.3.3.3
Root Cause
In transparent mode, the firewall can be managed only through VLANIF interfaces. However, all PCs used Lay3_switch as the gateway. Therefore, the packets from the PCs passed through the firewall twice, first through Lay2_switch and then through Lay3_switch. Therefore, the access was blocked. Therefore, the management VLAN must be assigned to the virtual firewall so that a session can be established when the packets pass through the firewall the second time. 

END