No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Traffic is not forwarded through the L2TP over IPSec tunnel when using NAT on USG 5550

Publication Date:  2013-05-30 Views:  798 Downloads:  0

Issue Description

After configuring the NAT and L2TP over IPSec tunnel all traffic to that particular server is tranlsated by the NAT module of the USG and no traffic in transported through the tunnel.

Alarm Information


Handling Process

This can be solved in 2 ways:
1. by using PAT (not the best solution because in many cases all public ports need to be opened to all hosts)
2. by configuring a security ACL that denies the port numbers used by the L2TP over IPSec tunneling protocols .
By using the second method only traffic from  that particular host towards the server will be transported through the tunnel and any other packets will be translated by NAT and routed according to the firewall's local routing table

Configuration of the ACL below:
acl number 3001                                                                
description forl2tpoipsec                                                     
rule 5 deny udp destination-port eq 1701                                      
rule 10 deny udp destination-port eq 500                                      
rule 15 deny udp destination-port eq 4500                                     
rule 20 permit ip   

Other than this acl destination NAT needs to be configured for that specific server in the untrust zone:

[USG5550-zone-untrust]destination-nat 3111 address                                                          

Root Cause

This happens because traffic is not separated based on the port numbers.


My suggestion is to use the second method presented although the 1st one could apply to some scenarios.