@jp.briggs wrote:
Great! Thanks! Sorry for the late reply...
How about this one...
I had a guest user call me. We have the controllers acting as the DHCP server for the guest network, and traffic is NAT'd out. This user called because he could not connect to his company's VPN concentrater...was getting a 412 error on a Cisco client. I thought perhaps the firewall was the issue, so I temporarily added a rule at the top to basically: user any src-nat <pool>, but he still couldn't connect.
How can I verify that NAT'ing is working properly for VPN? All other traffic (web, SMTP, etc) works well with this NAT setup...
If all other traffic is working, then NAT is working; you do not have to add that statement. The Cisco VPN client routinely uses port 10000 to connect. Make sure that port is being allowed in your guest ACLs.
As a tip, many people just try to allow DNS, block internal traffic, then allow all to deal with troublesome issues like VPN clients that use special ports.