09-20-2007 07:17 AM - edited 03-05-2019 06:36 PM
HI
I have setup a L2L VPN between Cisco 857 (ADSL modem/router) in a branch and the Nokia IP130 Firewall at the main office. I am having the follwowing issues and I will appreciate your input
1) I would like the machines inside the remote office (LAN2) to connect to the main office (LAN1) for AD, but to use its own ISP gateway for Internet access.
At the moment, it seems like all traffic has been redirected through the VPN. ie - a PC in LAN 2 with DNS server pointing to reach ISP's, can't reach the Internet. Using a packet analyser, i can see that DNS requests are sent, but replies are not coming back. I figure that they might be stopped in the Nokia Firewall Gateway in the other end, to which i have limited access to check the logs.
I have also debugged ip packets at the router, and see no activity of any ACL stopping the reply packets.
The interesting parts of the Cisco configuration are as follwos:
--- NAT setup
ip nat inside source route-map NONAT interface Dialer1 overload
--- Route-map (I have read mixed posts saying that sometimes this approach does not work)
route-map NONAT permit 10
match ip address 101
----
access-list 101 remark NONAT access rule excludes IPSEC connections from NAT
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
I will appreciate some help with troubleshooting this issue. I can post the rest of teh config if necesary.
Many thanks !
09-26-2007 08:59 AM
Using PAT (or NAT Overload) with IPSec is not recommended when the PAT occurs between two IPSec peers.
09-26-2007 10:00 AM
thanks for your reply.
I would like to know why it is not recommended, and what the alternatives are for desing, in this case. I imagine that this is a common case where you have a main office and a branch, with a L2L connection?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: