Publication Date: 2017-09-06 | Views: 1094 | Downloads: 0 | Author: SU1002316611 | Document ID: EKB1000857466
Issue : VC cannot communicate with MCU
1.here is the topo:
the loacl VC is connected to our access switch----> distribution switch---->core switch---->(0/0/0:172.21.64.1)Firewall(1/0/1:10.131.236.20)----(ethio telecom's ADSL through wordanet)-----national data center's MCU
2.Change IP address of ADSL interface 1/0/1
They added below configuration:
ip address 10.131.236.20 255.255.255.0
ip route-static 172.30.40.0 255.255.255.0 Ethernet1/0/1 10.131.236.18
from the device configuration information, we can found that the interface 1/0/1 is belong to untrust zone and interface 0/0/0 is belong to trust zone.
and we can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall,but cannot ping from 172.21.66.10 to 172.30.40.11
and we found that there is not permited from trust zone to untrust zone, so we permit the security policy from trust zone to untrust zone.
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
but the sevice was still not working.
then we did the traffic statistics,found that the traffic is sent out but not back when ping from 172.21.66.10 to 172.30.40.11.
but as said before, we can ping MCU address 172.30.40.11 from firewall, so we think there is some limit that just permit peer address visit MCU on ethio telecom's ADSL link or there is no back routing on ethio telecom's ADSL link.
due to can ping VC address 172.21.66.10 and can ping MCU address 172.30.40.11 from firewall, so we can do NAT, make the VC address 172.21.66.10 is NAT to 10.131.236.20 to visit MCU
nat address-group 6 10.131.236.20 10.131.236.20
nat-policy interzone trust untrust outbound
policy source 172.21.66.10 mask 32