IPSec Service Access Failure Due to Incorrectly Configured NAT Policies

Created: Mar 29, 2016 20:29:48Latest reply: Mar 29, 2016 21:07:59 1485 1 0 0
Networking: PC (Intranet) ---------- third-party firewall ------- Internet ------- E1000E-X3---------SSL-VPN server 

An IPSec tunnel was set up between the third-party firewall and Huawei firewall E1000E-X3.

The nat-policy interzone trust untrust outbound was applied so that hosts could access the Internet. No-NAT was applied to communication between private network addresses.

An intranet PC could telnet the SSL-VPN server but the SSL-VPN failed to telnet the intranet PC.

After the SSL-VPN server tried to telnet an Intranet PC, engineers ran dis firewall session table destination inside 10.****** to query session information and corresponding session information was displayed.

Tracert tests succeeded from the SSL-VPN server and the public address of the uplink interface on E1000E-X3.

On E1000E-X3, pinging the intranet PC using the SSL-VPN server address as the source address succeeded.

According to the tracert results, the second and third hops were numbered xxx, and the fourth hop was the destination address.
  • x
  • convention:

bellabella     Created Mar 29, 2016 21:07:59 Helpful(0) Helpful(0)

Handling Process

Huawei performed the following operations to address the problem:

1. Found that the E1000E did not bar the remote access packets and sessions could be set up properly.

2. Checked the IPSec information and found that VPN channels were set up properly.

3. Found that tracert succeeded to the public address.

4. Checked outbound NAT policy configurations.

nat-policy interzone trust untrust outbound
policy 6
action source-nat
policy source 10.************
address-group 1
policy 1
action no-nat
policy source 10.*************
policy destination 10.**********

Policy 1 (action no-nat) was configured after policy 6. Therefore, the equipment executed policy 6 first and then policy 1. As a result, policy 1 failed to take effect and the outbound packets were also subject to NAT processing and accessing the intranet PC access failed. Root Cause

The NAT policies were configured in an incorrect order. Solution

Configure policy 1 and then policy 6.

nat-policy interzone trust untrust outbound
policy 1
action no-nat
policy source 10.*************
policy destination 10.**********
policy 6
action source-nat
policy source 10.************
address-group 1 Suggestions

Ensure that NAT policies are configured in a correct order.

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top