Oh! You use your internet router/gateway as DNS server dont you? And it is located at outside interface.... If yes, then please issue the following command

access-list outside_nat0_outbound permit ip 172.16.1.0 255.255.255.0 192.168.1.32 255.255.255.240

nat (outside) 0 access-list outside_nat0_outbound outside

this would fix it up!

yes that is correct.

I have a router/modem(172.16.1.254) on my outside interface which is doing the dns.

Can you explain the rule you want me to apply?

"access-list outside_nat0_outbound permit ip 172.16.1.0 255.255.255.0 192.168.1.32 255.255.255.240"

So this ACL will trigger on traffic from the 172.16.1.0/24 network destined for my VPN network.

"nat (outside) 0 access-list outside_nat0_outbound outside "

Thats a Nat exemption rule?

So traffic from my 172.16.1.0 network destined for the 192.168.1.32 network(my vpn subnet) won't be translated?

If thats correct...shouldn't the access-list be something like...

access-list outside_nat0_outbound permit ip 192.168.1.32 255.255.255.240 192.168.1.32 255.255.255.240"

?? The router seems to be seeing the source as my VPN client, even though its on the outside interface??

and should I be setting up a Nat rule, not a Nat exemption rule? I thought I would want my VPN traffic send out as unencrypted so I can access the internet

"In another application, this feature can redirect incoming VPN traffic back out through the same interface as unencrypted traffic. This would be useful, for example, to a VPN client that does not have split tunneling but needs to both access a VPN and browse the Web."

"For the security appliance to send unencrypted traffic back out through the interface, you must enable NAT for the interface so that publicly routable addresses replace your private IP addresses (unless you already use public IP addresses in your local IP address pool). The following example applies an interface PAT rule to traffic sourced from the client IP pool:

hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100

hostname(config)# global (outside) 1 interface

hostname(config)# nat (outside) 1 192.168.0.0 255.255.255.0"

I will try both when I get back to my home network....

Thanks again...

Its always good to learn new things.

"So traffic from my 172.16.1.0 network destined for the 192.168.1.32 network(my vpn subnet) won't be translated?

"

Correct

"If thats correct...shouldn't the access-list be something like...

access-list outside_nat0_outbound permit ip 192.168.1.32 255.255.255.240 192.168.1.32 255.255.255.240" "

No. Above acl has no use, source and destination are same (both 1.32/24) . Network statements like NAT or split tunnel are not like ACLs for filtering traffic. Check and compare with your inside_nat0_outbound acl

"For the security appliance to send unencrypted traffic back out through the interface, you must enable NAT for the interface so that publicly routable addresses replace your private IP addresses (unless you already use public IP addresses in your local IP address pool). The following example applies an interface PAT rule to traffic sourced from the client IP pool:

hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100

hostname(config)# global (outside) 1 interface

hostname(config)# nat (outside) 1 192.168.0.0 255.255.255.0"

The more you look for, the more things will get complicated. If you implement above config, you wont be able to communicate with inside hosts.

Hi Husycisco,

I REALLY don't understand why you want me to issue that command. Could you please explain to me the reasoning behind adding the Nat exemption rule on the outside interface and how it theoretically should fix my issue with internet browsing?

I have applied the recommended changes, the only difference is unfortunately my stupid modem/router want let me change the damm network much for the dhcp server so its issuing addresses in 172.16.0.0/16

so I applied"

access-list outside_nat0_outbound permit ip 172.16.0.0 255.255.0.0 192.168.1.32 255.255.255.240

nat (outside) 0 access-list outside_nat0_outbound outside

but it STILL isn't working.

I appear to be getting the following syslog error in relation to my ping/nslookup attempts/

"portmap translation creation failed for upd src outside:192.168.1.33/1872 dst outside:172.16.1.254/53"

aswell as

""portmap translation creation failed for icmp src outside:192.168.1.33 dst outside:64.156.132.40 (type 8, code 0)"

when I issue a "ping 64.156.132.40.

once again I have posted my updated running-config.

Below is some output I receive on my client (192.168.1.33).

ping requests to the ip address 64.156.132.40 are timing out.

and nslookup requests are getting DNS request time out errors.

Thanks again.. I'm off to read some more on VPN setups.

My bad... sometimes networks and subnets start flying in my head while dealing with many different configurations and questions at the same time :) Please do the following modification

no access-list outside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.1.32 255.255.255.240

access-list outside_nat0_outbound extended permit ip 192.168.1.32 255.255.255.240 172.16.0.0 255.255.0.0

clear xlate

"I REALLY don't understand why you want me to issue that command. Could you please explain to me the reasoning behind adding the Nat exemption rule on the outside interface and how it theoretically should fix my issue with internet browsing?"

Sure. In common scenarios, DNS server is usually at inside interface. Mostly this is a Domain Controller with integrated AD DNS. And the router's IP is added as DNS forwarders or root hints are configured.

In this scenario, DNS server is located at outside interface. And there is no NAT statement exists to make VPN subnet be able to communicate hosts located at outside interface. If DNS server was located at DMZ or at another interface, we would have to do the same statements. The statements which infact makes you able to communicate with insie hosts atm (inside_nat0_outbound)

Oh ok.... that makes more sense to me now....

So the Nat exemption rule will forward traffic to my router(which acts as a DNS) but will not do any translation on the traffic?

I've applied the changes but still no luck...

This is what I seem to get when I do a ping to the IP address you gave me

6|Feb 16 2008|05:16:42|302021|192.168.1.34|64.156.132.140|Teardown ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (vpnuser)

6|Feb 16 2008|05:16:40|302020|192.168.1.34|64.156.132.140|Built ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (vpnuser)

6|Feb 16 2008|05:16:37|302021|192.168.1.34|64.156.132.140|Teardown ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (marcosgr)

6|Feb 16 2008|05:16:35|302020|192.168.1.34|64.156.132.140|Built ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (vpnuser)

6|Feb 16 2008|05:16:31|302021|192.168.1.34|64.156.132.140|Teardown ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (vpnuser)

6|Feb 16 2008|05:16:29|302020|192.168.1.34|64.156.132.140|Built ICMP connection for faddr 192.168.1.34/1536 gaddr 64.156.132.140/0 laddr 64.156.132.140/0 (vpnuser)

6|Feb 16 2008|05:16:12|302015|172.16.1.255|255.255.255.255|Built inbound UDP connection 49591 for outside:172.16.1.255/68 (172.16.1.255/68) to NP Identity Ifc:255.255.255.255/67 (255.255.255.255/67)

If I try to access a site, say via firefox based on domain name I seem to be getting.

6|Feb 16 2008|05:26:57|302014|12.120.29.14|192.168.1.18|Teardown TCP connection 49606 for outside:12.120.29.14/80 to inside:192.168.1.18/3954 duration 0:05:06 bytes 3984 TCP FINs

6|Feb 16 2008|05:26:57|302014|12.120.29.14|192.168.1.18|Teardown TCP connection 49608 for outside:12.120.29.14/80 to inside:192.168.1.18/3955 duration 0:05:05 bytes 4986 TCP FINs

6|Feb 16 2008|05:26:23|302015|MY_ISP_ASSIGNED_IP|172.16.1.1|Built inbound UDP connection 49657 for outside:MY_ISP_ASSIGNED_IP/2497 (MY_ISP_ASSIGNED_IP/2497) to NP Identity Ifc:172.16.1.1/500 (172.16.1.1/500)

6|Feb 16 2008|05:26:18|302015|192.168.1.34|192.168.1.47|Built inbound UDP connection 49656 for outside:192.168.1.34/137 (192.168.1.34/137) to outside:192.168.1.47/137 (192.168.1.47/137) (marcosgr)

Note: I've removed my inside global public IP with MY_ISP_ASSIGNED_IP

thanks again.

I'm wondering if its a problem with traffic on the way back in.....

Ok then. Then lets apply the following.

no nat (outside) 0 access-list outside_nat0_outbound outside

no nat (outside) 2 192.168.1.32 255.255.255.240

no access-list outside_nat0_outbound extended permit ip 192.168.1.32 255.255.255.240 172.16.0.0 255.255.0.0

nat (outside) 1 192.168.1.32 255.255.255.240

global (inside) 1 interface

clear xlate

ok I'll do this as soon as I get home.

So now I'm removing the nat exemption?

Can you explain why you want me to do this?

Thanks.

ok still no luck.....

I have copied out the Nat and access-list commands and commented what I think they are doing... maybe that will help.

same-security-traffic permit intra-interface ; allow hairpinning. Traffic coming from my VPN clients terminated on the outside interface will need to go back out to the dns server.

--------------- Configuration for DMZ and webserver ----

access-list outside_access_in extended permit tcp any host 172.16.1.1 eq www log

access-group outside_access_in in interface outside

; allow web traffic in on the outside interface.

;sending webtraffic to my DMZ host

static (DMZ,outside) tcp interface www 192.168.2.2 www netmask 255.255.255.255

--------------------------------

--------Nat Exemptions for VPN-----------

access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.240

nat (inside) 0 access-list inside_nat0_outbound

-----------------------------------------

----- The last commands you gave me - I changes the NAT ID.... is that an issue??------------

nat (outside) 2 192.168.1.32 255.255.255.240 ; my VPN Client traffic on the outside interface

global (inside) 2 interface ; will be translated to the inside network address ???? IS that right????

---------------------------------------------------------------

------------ Default Nat-----------------

nat (inside) 1 0.0.0.0 0.0.0.0 ; map any any from the inside

global (outside) 1 interface ; to an address on the outpide interface (these are still private addresses as my

outside address gets assigned via DHCP by my router/modem.

-------------------------------------------

This is the strangest problem .....

Just to add some more info...

I'm getting the old "port map translation creations failed" errors..... The funny thing is the syslogs, list the source IP but the destination id is empty.......

"The last commands you gave me - I changes the NAT ID.... is that an issue??------------"

Of course thats an issue. Please apply exactly I have posted, then apply clear xlate. Then disconnect VPN client and reconnect.

Then please post the current config.

I will make the theory explainations as we resolve this

Hi Marcos

Any update?

Hi Husycisco,

Sorry about the lack of updates....I've been called away for work. I will be back tomorrow night (around 24 hours from this post) I will try to update then.

thanks again!

Hi Husy,

I need to start by apologising for not updating in so long. On my way back from a work trip I received from tragic news involving a family member and my proffesional aspect of my life has had to be put on the back burner.

Apologies and I appreciate all the time you have spent trying to assist me with this issue.

I have once again attached my current config. It may not be exactly as what was expected due to the fact i also had a colleage of mine make some changes whilst i was away.

thanks.