Establish IPSEC VPN between USG5100 headquarters and usg2110 branch, the branch can ping the headquarters successfully, but when the tunnel established, the headquarters can not ping the branch. USG version is V100R005SPC300.
1. There is not interface switch problem on USG5100, and we did not configure NAT on device, also there is no problem on other configuration.
2. Headquarters internal network ping branch internal network, check the conversation on USG device, as follow:
[USG5100]disp firewall session table
Current Total Sessions : 9
esp VPN:public --> public 184.108.40.206:0-->220.127.116.11:0
tcp VPN:public --> public 192.168.10.33:1058-->192.168.1.112:3389
icmp VPN:public --> public 192.168.1.112:1024[18.104.22.168:1024]-->192.168.10.1:2048
netbios-data VPN:public --> public 192.168.1.112:138[22.214.171.124:138]-->192.168.1.255:138
We find that the conversation is translated by NAT, but there is no Outband direction NAT on USG5100 configuration, and this address can not access external net.
3. Check the configuration again and find a map that some user does:
nat server 0 protocol tcp global 126.96.36.199 3389 inside 192.168.1.112 3389
try to add no-reverse after this configuration, then ping the internal address again, access successfully. It is because IPSEC data flow matchs the opposite conversation of nat server.
1. Problem of interface switch.
2. Outbound direction NAT receives interest data flow.