I'm in need of some urgent help please.
I have configured my VPN following this:
Basically I'm NATting a whole subnet before sending it over the tunnel.
The only thing that differs is that I've used a route-map with my static translation:
ip nat inside source static network 172.24.0.0 172.25.0.0 /16 route-map CAP
route-map CAP permit 10
match ip address 115
access-list 115 permit ip 172.24.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 115 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255
I can see that it is being translated:
router#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 172.25.1.43 172.24.1.43 --- ---
Inside global Inside local Outside local Outside global /prefix
172.25.0.0 172.24.0.0 --- --- /16
But it does not bring the tunnel up. In debug it appears to not even be attempting to initiate. I can see that the access list applied to the crypto map is not being hit.
HOWEVER when I add the untranslated subnet to the access-list, i.e.,:
access-list 173 permit ip 172.25.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 173 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255
I can see the hit count incrementing for 172.24.0.0/16!!! I'm not sure how this is possible when it has been translated. This also brings the tunnel up (but not fully, as it's not configured on the other end, I'm just using it for testing).
Any ideas? Do I need a next hop address configured on my route map?
Any comments would be very much appreciated.