Cisco 2811 VPN NATting

Hi,

I have Cisco VPN clients connecting to a Cisco 2811 to access private IP corporate resources. However, now I need them to access some internet-based IPs (our production network) over the VPN tunnels. This means enabling VPN clients to hit the internet through the 2811, which means NATing of their traffic out, since the VPN client IPs are private.

I cannot figure out how to accomplish this. The connections to the now- secure routes to the internet-based IPs time out. ICMP from the VPN clients will hit nothing beyond the outside interface (Dialer1). I suspect it's something regarding the VPN clients coming in on the outbound interface (Dialer1) and then trying to go out that same interface to hit the internet-based IPs and not getting NATted.

Can someone explain to me what i might be missing here?

Here's relevant parts of my config. If you think other parts are relevant, I can provide those as well

Thanx.

xxx.xxx.xxx = Corporate public IPs zzz.zzz.zzz = Production public IPs yyy.yyy.yyy = Default internet route

192.168.167 = VPN client IPs 192.168.168 = Corporate DMZ 10.10.10 = Corporate Trust

interface Dialer1 description $FW_OUTSIDE$ bandwidth 7000 ip address xxx.xxx.xxx.206 255.255.255.240 ip access-group 104 in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 ppp authentication chap pap callin ppp chap hostname MYUSERNAME ppp chap password 0 MYPASSWORD ppp pap sent-username MYUSERNAME password 0 MYPASSWORD crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.167.2 192.168.167.10 ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy permanent ip route 10.0.0.0 255.0.0.0 192.168.192.1 permanent ! ! ip nat pool outsidepool xxx.xxx.xxx.195 xxx.xxx.xxx.204 netmask

255.255.255.240 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ip nat inside source static 192.168.168.2 xxx.xxx.xxx.193 route-map SDM_RMAP_3 ip nat inside source static 10.10.10.2 xxx.xxx.xxx.194 route-map SDM_RMAP_2 ! route-map SDM_RMAP_1 permit 1 match ip address 100 ! access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.2 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.3 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.4 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.5 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.6 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.7 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.8 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.9 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.10 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.2 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.3 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.4 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.5 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.6 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.7 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.8 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.9 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.10 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip any host 192.168.167.2 access-list 100 deny ip any host 192.168.167.3 access-list 100 deny ip any host 192.168.167.4 access-list 100 deny ip any host 192.168.167.5 access-list 100 deny ip any host 192.168.167.6 access-list 100 deny ip any host 192.168.167.7 access-list 100 deny ip any host 192.168.167.8 access-list 100 deny ip any host 192.168.167.9 access-list 100 deny ip any host 192.168.167.10 access-list 100 deny ip host 192.168.168.2 any access-list 100 deny ip host 10.10.10.2 any access-list 100 permit ip 192.168.168.0 0.0.0.255 any access-list 100 permit ip 10.1.0.0 0.0.3.255 any access-list 100 permit ip 10.10.10.0 0.0.0.255 any access-list 100 permit ip 10.2.0.0 0.0.3.255 any access-list 100 permit ip 192.168.167.0 0.0.0.255 any

-Tony