Please help, I am having hard time to set PAT-ing properly on my IPSec VPN setup. I am having 2611XM on one side and 831 on another in L2L configuration. Everything works fine ie. hosts on the private networks behind the VPN gateways are accessible to each other but once PAT is applied and crypto maps reapplied the ISAKMP Phase 1 never takes place.
So to speak my config works but only if I have no PAT applied to outside interfaces.
Here are my ACLs in shortcut that are applied to the outside interfaces:
ip nat inside source list 101 interface s0/0 overload
ip nat outside
ip nat inside
now your ipsec crypto list such as
ip access-list extended 102
permit 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255
wont be subject to the outgoing nat rule.
Of course post your full configs if you still need help!
Just remember to allow nat on an ipsec tunnel, nat rules are applied before the crypto rule. so you are going to nat the traffic and it will break the tunnel if you dont have a "deny" statement in the first line of your nat access list if you are doing nat in the same path as the ipsec traffic.
Thanks so much for the clues. I tried your suggestions but no help. What happens it looks like the remote router (831) whats to establish IPSec tunnel but the easy server not (2611XM). The "show crypto ipsec sa" displays all the values on 831 but not on the 2611XM.
I am going to paste below key parts of the configs for your examination if you were so kind.
IPSec Server config:
aaa authentication login vpnclient local
aaa authorization network allusers local
crypto keyring L2Lkeyring
description Pre-shared Key for L2L peers with dynamic addressing
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...