Cisco Support Community
Community Member

L2L VPN and DNS question


I have setup a L2L VPN between Cisco 857 (ADSL modem/router) in a branch and the Nokia IP130 Firewall at the main office. I am having the follwowing issues and I will appreciate your input

1) I would like the machines inside the remote office (LAN2) to connect to the main office (LAN1) for AD, but to use its own ISP gateway for Internet access.

At the moment, it seems like all traffic has been redirected through the VPN. ie - a PC in LAN 2 with DNS server pointing to reach ISP's, can't reach the Internet. Using a packet analyser, i can see that DNS requests are sent, but replies are not coming back. I figure that they might be stopped in the Nokia Firewall Gateway in the other end, to which i have limited access to check the logs.

I have also debugged ip packets at the router, and see no activity of any ACL stopping the reply packets.

The interesting parts of the Cisco configuration are as follwos:

--- NAT setup

ip nat inside source route-map NONAT interface Dialer1 overload

--- Route-map (I have read mixed posts saying that sometimes this approach does not work)

route-map NONAT permit 10

match ip address 101


access-list 101 remark NONAT access rule excludes IPSEC connections from NAT

access-list 101 deny ip

access-list 101 permit ip any

I will appreciate some help with troubleshooting this issue. I can post the rest of teh config if necesary.

Many thanks !


Re: L2L VPN and DNS question

Using PAT (or NAT Overload) with IPSec is not recommended when the PAT occurs between two IPSec peers.

Community Member

Re: L2L VPN and DNS question

thanks for your reply.

I would like to know why it is not recommended, and what the alternatives are for desing, in this case. I imagine that this is a common case where you have a main office and a branch, with a L2L connection?

CreatePlease to create content