Sure, I have removed keys and IP's for security. Workstations using NAT Pool.

Thanks!

Hi

Looking at your config here's what i think is happening.

1) You have a natpool defined for your workstations.

2) This natpool is tied to a route-map. The route-map says don't use this NAT pool for any traffic from

192.168.1.0/24 to 192.168.2.0/24 &

192.168.1.0/24 to 192.168.3.0/24

3) 192.168.2.0 & 192.168.3.0/24 are the remote subnets at the end of your IPSEC vpns.

So when your workstations send traffic to either 192.168.2.0/24 or 192.168.3.0/24 they don't get natted.

Your servers however are statically natted so they do get natted. The nat takes place before the traffic gets matched against the VPN traffic and your VPN traffic is defined

192.168.1.0/24 -> 192.168.2.0/24 (access-list 103)

192.168.1.0/24 -> 192.168.3.0/24 (access-list 105).

The servers will never match these access-lists.

On a pix/ASA device you could exclude the servers from being NATTED if they are going down the VPN. You could try applying a route-map to the static NAT statements, saying only NAT the servers if they are not going to 192.168.2.0/24 or 192.168.3.0/24 but i'm not sure this will work. (I can check tomorrow when i'm back in work but you could try anyway).

If this doesn't work what you could do is expand access-list 103 & 105 to include the NATTED server IP addresses. You will need to make sure the access-lists are also modified on the remote site routers.

HTH

Jon

Thanks Jon,

I think you're looking in the right direction. That's what I thought, I'll see what I can come up, but please do check when you get back to work, I would greatly appreciate it!

Thanks again.

I found documentation that says I can enter "route-map" at the end of the static entry.

For example...

ip nat inside source static 192.168.1.3 "ip-removed" route-map SDM_RMAP_1

that should make the traffic for the static NAT look at the "SDM_RMAP_1" ACL.

I'll give it a try tonight.

Okay. Let me know how it goes :-)

Nah, that didn't work either. Don't understand this. I do work for another company that uses 2600 series and the config is almost identical except for a virtual interface and that router is connecting to a Linksys.

Very strange. Please let me know what you find out.

Hi

Bad news. Did you try adding just one of the servers public IP addresses into your crypto map access-list on the devices at both ends ?

Jon

Looks like it did work. Along with pinging FROM a server that was natted, I was also pinging TO a server that was natted on the remote LAN and I had not added the route-map command on that static NAT.

Thanks again for your help!

Bob M.

And just when i had it all setup to test :-)

No problem, glad it worked

Jon

Sorry about that!

I don't understand why SDM can make the neccessary NAT change for the address pool when setting up but not for static entries.

whoops,

thought we solved the problem, but not so quick. looks like I can ping from site to site, but that's all I can do. Can't get to remote servers, websites, printers, etc.

Any ideas why I'm having this problem?

Hi

Are you running CBAC on the remote 1800. Can you send me the config for the remote site as well.

It might be what you have in your access-list on the outside interface of your remote router. Remember you need to allow the traffic through on this access-list and you need to refer to the correct IP addresses.

Jon

Hi Jon,

Turned out to be a mtu issue. Added the "crypto ipsec df-bit clear" in global and now I can access remote subnets with no problems.

I do have one last problem and that is, I cannot VPN to an internal Windows Server using PPTP. Internet access to NAT'ed www, mail, dns, etc all working perfectly. Can't seem to figure this one out. I've tried just about everything.

Here is my current config at one of my locations.

Thanks again Jon and if you see any other issues, please do let me know.

Bob M.