Router A and Router B are IPSEC tunnel peers, using the Internet as the connectivity transport. Routers A & B perform NAT pooling with overload for Internet bound traffic - traffic destined for the remote side of the VPN tunnel is exempted from the NAT overload.
This much works fine. Here's the problem:
Router A also has a few static NAT's to support inbound access of HTTP and SMTP traffic to hosts on the private LAN. It appears that when these hosts on LAN A attempt to contact a host on LAN B via the VPN tunnel, the NAT exemption doesn't take effect - the traffic is sent out to the Internet anyway via the static NAT.
I recreated the same setup in a lab environment but after the route-mapidentifies the packets and send them to the loopback address as the next-hop the packet is never seen in the IPSec tunnel. The router also complains that the next-hop is the same router. If you look at the cco example closely, you will also notice some errors in the loopback IP address.
Is this setup really working and if yes, is this supported from a specific IOS code.
I am using the exact method defined in the document, and it works great. I think you're making the same mistake that I made though. The document refers to building a loopback address of 18.104.22.168 and setting an ip next-hop in the route-map to 22.214.171.124. I assumed that was a misprint, and that they really wanted me to set the ip next-hop to 126.96.36.199 - well, they don't. They really mean 188.8.131.52, even though that IP doesn't exist anywhere. What I believe happens is that the packet is forwarded to the loopback interface, because the router believes that the 184.108.40.206/24 network is directly connected there. The packet is forwarded to 220.127.116.11, with the expectation it will get to 18.104.22.168. 22.214.171.124 doesn't really exist, so the router re-evaluates the packet for forwarding. At that point, there's no NAT to be performed, because the packet isn't leaving a "ip nat inside" interface.
Anyway, it is working for me, but you do have to follow the document exactly.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...