HTTP Traffic Blocked on VPN Connection to USG FLEX 700

ivessm
ivessm Posts: 42  Freshman Member
Equipment: USG FLEX 700 - Nebula Managed
2 - CISCO ASA devices providing point-to-point VPN connection to remote sites.

I can PING and TRACERT connections to remote devices at the other end of the CISCO ASA's. TRACERT verifies that the packets are being routed over the CISCO ASA VPN's. NOTE: There is no other way to connect to these remote devices except over the CISCO ASA route.

I can NOT get a successful HTTP connection over the same ASA connections to known HTTP devices at the remote ends.

I cannot see anything in the USG FLEX 700 Nebula Management screens that would be blocking HTTP traffic and allowing PING & TRACERT.

The routing in the USG FLEX 700 was setup under:  USG FLEX > Configure > Routing > Static Route as eg:
  • Subnet: 10.16.4.0/24
  • IP Address: 10.16.24.4  <<This is the local address for the link to the ASA>>
  • Metric: 1
  • Description: Bla Bla Woof Woof    
As I say, the PING and TRACERT traffic do route through the ASA. I don't know why HTTP traffic won't do the same.

Thanks in advance.

-stew   :-)

Answers

  • Zyxel_Chris
    Zyxel_Chris Posts: 438  Zyxel Employee
    So 2 ASA connect the VPN tunnel and what is USG flex playing the role is in this scenario?
    About static route, the next-hop IP should be the peer site device, ASA IP is 10.16.24.4 ?

    Chris
  • ivessm
    ivessm Posts: 42  Freshman Member
    Chris, thanks for commenting. Yes,the link to one local ASA is IP 10.15.24.4 and the other is 10.16.24.6
    Both of these pass PING traffic but neither of them pass HTTP traffic. I can't figure out why.

    -stew 
  • ivessm
    ivessm Posts: 42  Freshman Member
    The USG FLEX 700 is the site router. It handles all routing between the internet and the 2 VPN/ASA devices.
  • ivessm
    ivessm Posts: 42  Freshman Member
    I switched the USG FLEX 700 over to Console Management yesterday. Reconfiguring and will report when I have findings.

    -stew

  • Zyxel_Chris
    Zyxel_Chris Posts: 438  Zyxel Employee
    Do you mean switch to the standalone mode when you mention console management?



    Chris
  • ivessm
    ivessm Posts: 42  Freshman Member
    Nebula_Chris, yes, I removed the USGFLEX 700 from NEBULA Management and brought it up as CONSOLE management.

    Just my opinion but there are far more options for a device like the USGFLEX 700 under CONSOLE MANAGEMENT than NEBULA MANAGEMENT. 
  • Zyxel_Chris
    Zyxel_Chris Posts: 438  Zyxel Employee
    Understand but the advantage of Nebula management is easy to configure the setting (simplify the UI) and most important thing is it has provide the centralized view of network activities also the admin user management grouping (teams) is another pros.

    Chris
  • ivessm
    ivessm Posts: 42  Freshman Member
    Chris, I hear what your saying and I totally understand but I ran into too many limitations on the NEBULA managment of the USG 700 than the straight CONSOLE Mgmt. Case in point... Where can I see the attached in NEBULA that is available in CONSOLE Mgmt under Configuration > Security Policy > Policy Control???

    I would really really appreciate it if you could point that out to me. Believe me, I looked and looked.

    Here it is from CONSOLE Mgmt.
     
    Thanks.

    -stew

  • Zyxel_Chris
    Zyxel_Chris Posts: 438  Zyxel Employee
    You can configure the security policy in USG FLEX>Firewall, Security policy.
    In order to prevent the user block the device connection from server by accident therefore we have hide the default rules.

    Chris

Nebula Tips & Tricks