Networking: PC (Intranet) ---------- third-party firewall ------- Internet ------- E1000E-X3---------SSL-VPN server
An IPSec tunnel was set up between the third-party firewall and Huawei firewall E1000E-X3.
The nat-policy interzone trust untrust outbound was applied so that hosts could access the Internet. No-NAT was applied to communication between private network addresses.
An intranet PC could telnet the SSL-VPN server but the SSL-VPN failed to telnet the intranet PC.
After the SSL-VPN server tried to telnet an Intranet PC, engineers ran dis firewall session table destination inside 10.****** to query session information and corresponding session information was displayed.
Tracert tests succeeded from the SSL-VPN server and the public address of the uplink interface on E1000E-X3.
On E1000E-X3, pinging the intranet PC using the SSL-VPN server address as the source address succeeded.According to the tracert results, the second and third hops were numbered xxx, and the fourth hop was the destination address.
Huawei performed the following operations to address the problem:
1. Found that the E1000E did not bar the remote access packets and sessions could be set up properly.
2. Checked the IPSec information and found that VPN channels were set up properly.
3. Found that tracert succeeded to the public address.
4. Checked outbound NAT policy configurations.
nat-policy interzone trust untrust outbound
policy source 10.************
policy source 10.*************
policy destination 10.**********
Configure policy 1 and then policy 6.nat-policy interzone trust untrust outbound