Wireless Access

We have our Via client setup... or so we thought.

It connects fine, but does not provide a gateway address. Thus we can't access anything on the network.

Here are some details.

Public IP 208.108.1**.***

Internal 10.21.3.2

In our IPSEC settings we have a range of 10.11.12.5 - 10.11.12.250

This address pool is correctly established when we connect. 

We have tried several different NAT pool configurations, enabled, not enabled etc.

Anyone have any ideas what I might be doing wrong?

For VPN clients, including VIA, the controller does not give a gateway as part of the local pool.  You can define a DNS server on the VPN Server page however.   For the user traffic to be routable, you either need to enable NAT on the VPN Services page (although you say that doesn't work) or ensure the controller has an IP on this same network as the local pool.    Above all, your assigned role would need the ability to pass traffic.

In your setup, if the controller has an IP; for example 10.11.12.4, then the user shouldbe able to pass traffic.

Well, we are in different vlans.

10.21.3.2 controller

10.11.12.5 - 10.11.12.250 client range

When you mentioned the dns server settings, are you referring to the emulate vpn servers page or the dns server under ipsec tab?

Since all of this is totally new to me, can you possibly give me a quick exapmle of how to configure source NAT

We have a NAT pool with our one external address as both the beginning and end of the range. This maps to our internal address.

Then on the access control, I add a firewall rule for the default-via-role that enables src-nat for this NAT pool.

Is any of this correct? Do I need to make changes in other locations?

I tried checking the checkbox for Source Nat on the VPN services page, but it always seems to select the last pool which is the default Nat pool.

Thanks for your time.

I beleive that if you enable Source NAT (and the appropriate pool) on the VPN settings, your ACL should just be setup as "permit"; not "src-nat".