Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

l2l tunnel using policy-nat

I'm pulling my hair our at this point so I'm hoping someone can see whats wrong... (4 weeks of cisco experience... )

I have a tunnel that I want looking like so:

                                                           / --> boston tunnel

internal > NAT > External ip > internet >

                                                           \ --> chicago tunnel

This WAS working not sure why the tunnel does not get created now.. maybe I removed something that should not have been removed... ?

I have one more setup just like this going to a different static ip with a different policy and that one works....

any help is greatly appreciated.

object-group network netnumber-chicago

network-object host 65.111.11.204

network-object host 65.111.11.205

object-group network netnumber-boston

network-object host 65.222.11.84

network-object host 65.222.11.85

access-list youmailtp_splitacl standard permit host 65.222.11.85

access-list youmailtp_splitacl standard permit host 65.111.11.204

access-list youmailtp_splitacl standard permit host 65.111.11.205

access-list youmailtp_splitacl standard permit host 65.222.11.84

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-boston

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-chicago

access-list outside_cryptomap_40 extended permit ip telepacific-inside-network 255.255.254.0 object-group netnumber-chicago

access-list outside_cryptomap_40 extended permit ip host 66.11.22.139 object-group netnumber-chicago

access-list outside_cryptomap_50 extended permit ip telepacific-inside-network 255.255.254.0 object-group netnumber-boston

access-list outside_cryptomap_50 extended permit ip host 66.11.22.139 object-group netnumber-boston

static (inside,outside) 66.11.22.139 access-list netnumber-policy-nat

crypto ipsec transform-set NETNUMBER_TRANSFORM_SET esp-3des esp-sha-hmac

crypto map Outside_map 40 match address outside_cryptomap_40

crypto map Outside_map 40 set peer 65.111.22.81

crypto map Outside_map 40 set transform-set NETNUMBER_TRANSFORM_SET

crypto map Outside_map 50 match address outside_cryptomap_50

crypto map Outside_map 50 set peer 65.222.22.33

crypto map Outside_map 50 set transform-set NETNUMBER_TRANSFORM_SET

Everyone's tags (3)
3 REPLIES
New Member

l2l tunnel using policy-nat

Is that all your site to site VPN entries?  How about your:

tunnel-group 65.111.22.81 type ipsec-l2l

tunnel-group 65.111.22.81 ipsec-attributes

pre-shared-key *

tunnel-group 65.222.22.33 type ipsec-l2l

tunnel-group 65.222.22.33 ipsec-attributes

pre-shared-key *

?

New Member

l2l tunnel using policy-nat

group-policy site2site internal

group-policy site2site attributes

vpn-idle-timeout none

vpn-filter value youmailtp_splitacl

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 65.111.22.81 type ipsec-l2l

tunnel-group 65.111.22.81 general-attributes

default-group-policy site2site

tunnel-group 65.111.22.81 ipsec-attributes

pre-shared-key *

tunnel-group 65.222.22.33 type ipsec-l2l

tunnel-group 65.222.22.33 general-attributes

default-group-policy site2site

tunnel-group 65.222.22.33 ipsec-attributes

pre-shared-key *

New Member

l2l tunnel using policy-nat

ok so the two tunnels are now up. sh cry isa sa shows both peers. however if I do sh cry ips sa there is no traffic in the en/decap section so I'm not using the tunnels...

Looking at my config I can't figure out how one of my internal boxes will use this tunnel so I thought I needed to change this:

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-boston

to

access-list netnumber-policy-nat extended permit ip 10.21.30.0 255.255.254.0 object-group netnumber-boston

but when I tried to add the static it bomed out with a overlaping ip message...

Anyone have any ideas...

263
Views
0
Helpful
3
Replies