No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An NE40E Implements Unidirectional TCP Access

Publication Date:  2019-04-16 Views:  12 Downloads:  0
Issue Description

Symptom: An NE40E implements unidirectional TCP access.

Version information: V600R008

Solution

TCP access is allowed from R1 to R2 but is rejected from R2 to R1.

The address segment of R1 is X.X.X.X/24.
The address segment of R2 is Y.Y.Y.Y/24.

R1--------------NE--------------R2

Configuration of the NE40E:

rule 10 permit tcp source Y.Y.Y.Y 0.0.0.255 destination X.X.X.X 0.0.0.255 tcp-flag established  //Reference the inbound interface between R2 and the NE40E to allow TCP reply packets to pass.

rule 20  deny  tcp  source  Y.Y.Y.Y 0.0.0.255  destination X.X.X.X 0.0.0.255

The ACK is 0 in the first TCP packet sent by R1, and ACK=1 in the second TCP packet replied by R2 to R1 matches the rule 10 statement on R1. The ACK in the packets replied by R1 to R2 now becomes 1. After that, the ACK in the TCP packets exchanged between R1 and R2 is always 1. The subsequent rules need to be configured to be rejected.


END