Thanks for the reply, Francesco!

To add to the complexity of this issue I did not give the complete picture initially.

The peers on my side is actually a subnet (172.16.127.0/24).  Since this overlaps a subnet on the other side I cannot put it directly into the access-list statement.  I think what needs to happen is to NAT the subnet to one of my real IPs so that the other side sees traffic coming from that real address.

What would that look like so I can replace peer1 and peer2 in our example with the NATed real addresses?

Thanks again for your input and assist.

Kirt

Would the NAT look like the Dynamic PAT section in this article?   http://www.practicalnetworking.net/stand-alone/cisco-nat-configurations-ios-router/

So, using the IP from the example:

ip access-list standard INSIDE-NET
  permit 172.16.120.0 0.0.7.255

ip nat pool SHARED-IP 32.8.2.66  32.8.2.66 prefix-length 21  

ip nat inside source list INSIDE-NET pool SHARED-IP overload

ip access-list extended L2L

  permit ip host 32.8.2.66 host target1a

  permit ip host 32.8.2.66 host target1b

  permit ip host 32.8.2.66 host target2 

Attach acl to the crypto map.

Attach the map to the WAN interface.

Make WAN interface outside nat.

Should this allow the devices in 172.16.120.0/21 to share the connection and appear to be coming from 32.8.2.66 on the other side of the VPN?

Thanks again,

Kirt

I am attaching a generalised copy of my current config relating to this issue.

When I applied ip nat outside to the WAN interface it killed my ability to access the device except from the subnet where the LAN interface resides.

Any changes, suggestions, etc as to if this will work or should be modified would be appreciated.

Thanks!

Kirt

Thanks for the follow up, Francesco!

The shared article makes sense.  The primary difference is that they are requiring a single real/public IP rather than a subnet.  So I would need to translate my internal network to an IP rather than another network.

So in the article example, if I am on the right side and R3 is the only thing I control, rather than NATing my subnet to 10.200.200.0/24 I need to NAT to something like 1.1.1.100/32.

Would it be as simple as changing:

ip nat inside source static network 10.1.1.0 10.200.200.0 /24

to:

ip nat inside source static network 10.1.1.0 1.1.1.100 /32

and change my acl from:

ip access-list extended crypto
permit ip 10.200.200.0 0.0.0.255 10.100.100.0 0.0.0.255

To:

ip access-list extended crypto
permit ip host 1.1.1.100 host RemoteTargetIP

Hopefully I am not just flailing about ;)

Thanks again for your assist.

Kirt

FYI on my generalized set up....

I reduced the NAT to a /24 from a /21 and I am able to access the device normally again.  I think just had too large of a group and it was NATing the subnet the WAN interface is in as well killing my ability to get to it from outside.

I will be testing in about 13 hours.  I will let you know how it goes ;)

Thanks for all your help.

I did get the routing working by using a PAT NAT to NAT my subnet behind a single real IP.   I am finalizing my Phase 2 (IKEv2) policy and that should get me up and running.

Kirt

I have reduced it to a single /24 subnet containing the machines that need access.  This is for accessing a remote app so the traffic is basically initiated one way.  Also, only traffic bound for the particular app server IPs are routed to this device and not general traffic.

Currently if I ping an app server IP we are seeing Phase 1 come up, but Phase 2 is not.  I am trying to gather information and get more specific as to why it is refusingthe Phase 2 handshake.

Thanks

Kirt

Thanks, Francesco.

I am looking at how to get debug info.  Any suggestions welcome.