IPSEC VPN could build up tunnel, but ping failed from one-end to peer-end

Publication Date:  2012-09-11 Views:  267 Downloads:  0
Issue Description
 USG5100 as headquarters constitutes IPSEC VPN with usg2110 as branch, success to ping from branch-end to some address of internal network in headquarters. But if tunnel constituted, there is no way to ping from some address of internal network of headquarters to branch-end. The edition of USG is V100R005SPC300. 
Alarm Information
NULL
Handling Process
1、 there is no port quick forwarding issue because of the device is USG5100, and NAT hasn’t configured on device, no problems with other configuration.
2、 Ping from internal network of headquarters to internal network of branch-end, review sessions on USG device as below:
[USG5100]disp firewall session table
09:46:20 2011/09/10
Current Total Sessions : 9
esp VPN:public --> public 123.233.206.111:0-->124.133.249.10:0
tcp VPN:public --> public 192.168.10.33:1058-->192.168.1.112:3389
icmp VPN:public --> public 192.168.1.112:1024[124.133.244.10:1024]-->192.168.10.1:2048
netbios-data VPN:public --> public 192.168.1.112:138[124.133.244.10:138]-->192.168.1.255:138  
Finding out that the session to peer-end was transformed by NAT, but NAT of outbound direction hasn’t been configured on USG5100, this address couldn’t access the external network neither.
3、 Finding out that address mapping has been done for this address by user after review configuration again.
nat server 0 protocol tcp global 124.133.244.10 3389 inside 192.168.1.112 3389
trying to add “no-reverse” after this configuration command, success to ping private network address of peer-end , it says that IPSEC data flow matches the reverse session of nat server.
Root Cause
1、 interface quick forwarding matters.
2、 NAT of outbound direction hasn’t rejected data flow interested in yet.
3、 Others.  
Suggestions
    Matching mapping entire ip addresses if some address has reverse session at outbound direction, not mapping to detail port exactly even configuring mapping based on port.

END