S9300 core layer switch is connected below the USG2220BSR, and there are three internal clients, their IP are 192.168.1.0/24、192.168.2.0/24、22.214.171.124/24 respectively, these gateways of each network segment are all in the S9300. The requirements are as follow:
Clients at the network segments of 192.168.1.0/24 and 192.168.2.0/24 are not controlled, they can access any external IP address; nevertheless, the clients at 126.96.36.199/24 can only access the unique external IP:188.8.131.52, the purpose is to let the clients at 184.108.40.206/24 can deploy VPN Dialing Certification on their PCs, it’s the unique way to access the private network.
(1)Based on the clients’ demand, having completed the configurations (labeled in red), and testing, we found the clients at the network segments of 192.168.1.0/24 and 192.168.2.0/24 can access any external IP address, on contrast, the clients at the network segments of 220.127.116.11/24 can’t access any external IP except the appointed one: 18.104.22.168, however, although they can ping 22.214.171.124 successfully, the terminal PCs can’t access the private network through VPN Dialing Certification.
Having taken configured and tested based on demands, the VPN can’t dial successfully, the key point is whether the firewall packet-filter default deny inter-zone trust untrust direction outbound is on or not, the VPN can’t dial when it isn’t on, so we should consider the client may need another external network IP to dial successfully but not only the destination IP 126.96.36.199. Therefore, we open the default inter-zone packet filter, and let the clients dial VPN normally, then, they can access the private network. Then, we take the order “ipconfig” and “netstat” on the PC’s dos console, the client will get a private IP 10.81.3.0/24 when it dials successfully, it’s not only connected with 188.8.131.52 but also with a external IP 184.108.40.206. The process of VPN software’s dialing is described as follow: The terminal PC is taking a request to access the external IP 220.127.116.11 through their VPN Dialing software, after the device 18.104.22.168 having authenticated, it will return a ACK to the PC, meanwhile, the PC will be asked to get a private IP from 22.214.171.124. Originally, depended on requirement, we let the packet whose destination is 126.96.36.199 passed and 188.8.131.52 discarded, it cause the false of the whole VPN dialing. So, we add a new policy (labeled in red) in the inter-zone packet filter.
Clients are dialing to the external VPN device (184.108.40.206) on their VPN Dialing software through user name and password. After the user name and password are authenticated, the terminal PC are told to request the private network segment from another external network device (220.127.116.11). However, we just have taken the configuration allow the packet whose source is 18.104.22.168/24 and destination is 22.214.171.124 pass successfully, this lead to the authenticated terminal PC can’t obtain the private IP, and cause the VPN dialing’s false eventually.
When we are resolving the problems, we must understand the client’s demands and the real operation applications. Such as the above case, the clients’ VPN Dialing Software is different from our familiar one, it’s a specific software. We should try our best to search some simple methods to get some useful diagnostic messages. For example, we find that when the clients dialed successfully, the client terminal PCs will get some private network segment and there are connection between them and some external network segment. Expand your thought, guess daringly, and do your best to take measures to validate your opinion in the way not take bad influence on the current network operations.