Basically I'm NATting a whole subnet before sending it over the tunnel.
The only thing that differs is that I've used a route-map with my static translation:
ip nat inside source static network 172.24.0.0 172.25.0.0 /16 route-map CAP
route-map CAP permit 10
match ip address 115
access-list 115 permit ip 172.24.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 115 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255
I can see that it is being translated:
router#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
--- 172.25.1.43 172.24.1.43 --- ---
Inside global Inside local Outside local Outside global /prefix
172.25.0.0 172.24.0.0 --- --- /16
But it does not bring the tunnel up. In debug it appears to not even be attempting to initiate. I can see that the access list applied to the crypto map is not being hit.
HOWEVER when I add the untranslated subnet to the access-list, i.e.,:
access-list 173 permit ip 172.25.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 173 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255
I can see the hit count incrementing for 172.24.0.0/16!!! I'm not sure how this is possible when it has been translated. This also brings the tunnel up (but not fully, as it's not configured on the other end, I'm just using it for testing).
Any ideas? Do I need a next hop address configured on my route map?
For instructions on how to configure a Network Address Translation Traversal (NAT-T) between Cisco VPN Clients located behind a Port Address Translation (PAT)/NAT device and a remote Cisco VPN Concentrator, refer to Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...