Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
2
Replies

L2L VPN and DNS question

libra2222
Level 1
Level 1

‎09-20-2007 07:17 AM - edited ‎03-05-2019 06:36 PM

HI

I have setup a L2L VPN between Cisco 857 (ADSL modem/router) in a branch and the Nokia IP130 Firewall at the main office. I am having the follwowing issues and I will appreciate your input

1) I would like the machines inside the remote office (LAN2) to connect to the main office (LAN1) for AD, but to use its own ISP gateway for Internet access.

At the moment, it seems like all traffic has been redirected through the VPN. ie - a PC in LAN 2 with DNS server pointing to reach ISP's, can't reach the Internet. Using a packet analyser, i can see that DNS requests are sent, but replies are not coming back. I figure that they might be stopped in the Nokia Firewall Gateway in the other end, to which i have limited access to check the logs.

I have also debugged ip packets at the router, and see no activity of any ACL stopping the reply packets.

The interesting parts of the Cisco configuration are as follwos:

--- NAT setup

ip nat inside source route-map NONAT interface Dialer1 overload

--- Route-map (I have read mixed posts saying that sometimes this approach does not work)

route-map NONAT permit 10

match ip address 101

----

access-list 101 remark NONAT access rule excludes IPSEC connections from NAT

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

I will appreciate some help with troubleshooting this issue. I can post the rest of teh config if necesary.

Many thanks !

Labels:
0 Helpful
2 Replies 2

owillins
Level 6
Level 6

‎09-26-2007 08:59 AM

Using PAT (or NAT Overload) with IPSec is not recommended when the PAT occurs between two IPSec peers.

0 Helpful

libra2222
Level 1
Level 1
In response to owillins

‎09-26-2007 10:00 AM

thanks for your reply.

I would like to know why it is not recommended, and what the alternatives are for desing, in this case. I imagine that this is a common case where you have a main office and a branch, with a L2L connection?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card