Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
!
!
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
!
!
!
!
route-map ??? permit 10
match ip address ???_NAT
!
route-map xxx permit 10
match ip address xxx_NAT
!
route-map ??? permit 10
match ip address NAT_???
!
route-map ??? permit 10
match ip address ???_NAT
!
!
control-plane
!
!
banner motd ^C
