EasyManua.ls Logo

Avaya 2330/4134 - Page 214

Avaya 2330/4134
394 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
You
require an internet firewall policy allowing ISAKMP packets from the VPN
peer to the local VPN endpoint (for example, 3.3.3.1). The following is a sample
configuration:
#firewall internet
#policy 100 in permit address any any 3.3.3.1 32 service ike self
In cases where there is a NAT in the middle between the VPN peers, you
require an internet firewall policy that allows IKE self connections to UDP port
4500, to support NAT traversal.
The following is a sample configuration:
#firewall internet
#policy
101 in permit address any any 3.3.3.1 32 protocol udp port any
4500 self
(In cases where the NAT is enabled on one of the peers, you do not have to
open port 4500.)
You also require a corp firewall policy that allows data packets from the remote
VPN protected network (for example 30.1.1.0/24) to the local VPN protected
network (for example, 10.1.1.0/24).
The following is a sample configuration:
#firewall corp
#policy 200 in permit address 30.1.1.0 24 10.1.1.0 24
#exit
5. To
display the statistics for connections that are occurring through the firewall, enter:
show firewall connections all
Verify that traffic is passing through the policies you have configured.
6. To display the number of connections that have been traversing each map, enter:
show firewall connections all summary
If no traffic is passing through the firewall, ensure that there is a route for the transit
traffic from the corp zone to the internet zone.
In addition, for high traffic networks, make sure that the maximum firewall
connection limit configured for a given map is sufficient to allow new connections.
(The default for “corp” is 2500).
You can increase the max-connection-limit parameter using the firewall
global command.
7. To display debug commands on the console, enter:
system logging console priority debug
system logging console enable
8. To enable debugging on the firewall, enter:
debug firewall connections
Verify that the policy exists and connections are being made.
Troubleshooting security
214 Troubleshooting August 2013
Comments? infodev@avaya.com

Table of Contents

Related product manuals