172.31.10.0 is a bit off on the drawing , it should be placed over the VPN tunnel , it is not on the outside its on the inside.
I terminate the tunnel 220.127.116.11 (me)to 18.104.22.168(customer) and the crypto map has 172.31.10.0/23 as local VPN net and 22.214.171.124 as remote VPN net/host i need to reach
The problem is the customer has many different tunnels so we cannot add 172.21.11.0/24 to the crypto map due to overlap, I therefore have to NAT my way out of it by saying translate 172.21.11.0/24 to 172.31.10.100 so the tunnel will come up and the packets sent to 126.96.36.199.
The tunnel works fine and I can reach 188.8.131.52 from 172.31.10.0/23 net but i need to reach 184.108.40.206 from a host on 172.21.11.0/24 subnet which is also on the inside.
I had a Static instead of dynamic because I was using single hosts and not subnet's, but I changed it to subnet's but its still the same.
In my opinion the NAT statement is ok, I can see in the log that it translates 172.21.11.0/24 network to use 172.31.10.100 when trying to connect to 220.127.116.11, but whatever I do it will not trigger the site2site tunnel which is the problem. If i send packets from 172.31.10.0/23(without being translated from 172.11 net first) it will trigger the tunnel and send packets through and reach 18.104.22.168 fine.
It seems that the ASA will translate ok but not internally see my translated 172.21.11.30 (172.31.10.100) as a tunnel-triggering-ip.
So I have 2 things that work fine it seems, the translation from 172.21.11.0 net translated to 172.31.10.100 and the tunnel with 172.31.10.0/23 net that can reach 22.214.171.124 but somehow the connection between the 2 is not happening
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :