what does different Community ID mean?

[zippie74]

Hi,

I have been attempting to setup DNS zone transfers from one side of a VPN to the other.

I am receiving the error : Different community ID, possible NAT problem (VPN Error Code 2)

I can open other ports across the VPN without problem, its only when I attempt to use port 53 (DNS) that i have this failure.

Can anyone explain to me what this error means?

Thanks for your help,

zippie74,

[spinex]

Maybe you would like to make sure u don't turn on NAT for your VPN tunnel. That might be a problem since DNS is UDP which is connectionless ?

[Sergej]

DNS uses TCP to do zone transfers.

[dbedit]

Disable 'accept domain name over tcp' and udp in your implied rules under global properties.

Cheerz

[RayPesek]

To expand upon dbedit's response, this error usually is seen when traffic that you thought was going down the VPN in fact is not. It's commonly seen when an implied rule accepts the traffic. Since the implied rule is always before any of your rules and before any VPN rules, it can cause odd quirks like this.

Hopefully you do not really have those DNS implied rules active because they open up your internal network's DNS servers in a manner you probably did not intend. They used to be checked by default in 4.0, and I know they are un-checked in NG by default. BTW, with 4.0, I believe they could be used to touch any server on your internal network simply my using port 53 for something other than DNS.

If you do disable them, make sure you have other DNS rules in place or things are going to break...

Ray

[RayPesek]

"Since the implied rule is always before any of your rules and before any VPN rules,"

Actually you can change some of them to "before last" in which case they occur after all of your rules, but most of them are before any of your rules.

Ray