I have a VPN tunnel setup across the internet using a Cisco 837 and VPN3030. No users at the remote site are allowed access to the internet, just the VPN.
I have DHCP set up on the 837 for the remote users which gives a DNS server address of a central DNS server, but the PCs dont register themselves with the DNS server.
On further investigation, the PCs are sending their DNS request to the 837 as this is their DHCP server and the router doesnt forward the DNS request down the tunnel. A ping from the router also fails to destinations down the tunnel.
I think that the packets source is originated from the ADSL interface and not the ethernet interface (which is allowed by access list down the tunnel).
If you do a ping from the router, the traffic would be source on the ADSL interface. Make sure to do an extended ping sourcing on the ethernet interface of the router. The ip address of the DNS server given to your Users must be its private address and must included on the interesting traffic definded on your crypto ACL.
To test if the VPN tunnel is working fine, do an extended ping from the router to the VPN concentrator's private interface first.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...