No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


SSL VPN can obtain the IP Address by network extender function but can’t ping the internal network IP

Publication Date:  2012-09-13 Views:  666 Downloads:  0

Issue Description

Configure the SSL VPN at USG2230 and open the network extender function. The user external can obtain the addresses but can’t ping the address internal succeeded. PC internal connects to the firewall directly.

Alarm Information


Handling Process

1 Check the configuration of  packet filtering and SSL VPN , no errors

2 Check the session which arrive at the network internal:

[USG2230]disp firewall session table v destination inside
23:43:37 2011/08/14
Current total sessions: 1
icmp VPN: public -> public
Zone: trust -> trust TTL: 00:00:20 Left: 00:00:13
Interface: GigabitEthernet0/0/0 Nexthop: MAC: 00-25-9e-d4-b7-4c
<-- packets:4 bytes:240 --> packets:4 bytes:240[]-->

The IP Address which was obtained by the network extender of external user, was changed to by NAT when the user visit the destination PC. The trust area is configured the interzone NAT. the ACL for the interzone NAT contains the network segment which was distributed by the network expand.

3 Change the ACL imported in Interzone NAT, reject the Interzone NAT of the network segment which was distributed by the network expand. External network can visit the internal PC by SSL VPN normally.

Root Cause

1 packet filtering result in the unable visit
2 PC internal didn’t configure the gateway
3 others


Assigned ip address pool of network extender of SSL VPN belong to Trust Area and the IP Address obtained can’t ping the physical address of the internal network interface.