Can't access Internet and VPN tunnel without static NAT
Greetings, I'm dealing with an issue on a router running IOS Version 12.4(24)T4:
The router has an IPSEC tunnel with another router (non-cisco) at another site and the tunnel is working fine.
My problem is that hosts behind this router cannot route to both hosts on the other end of the tunnel AND outside to the Internet unless they have a static NAT.
Here's the pertinent config (public IPs changed for purpose of discussion):
ip nat pool MMPOOL 220.127.116.11 18.104.22.168 netmask 255.255.255.192 ip nat inside source list 1 pool MMPOOL overload ip nat inside source static 10.1.1.22 22.214.171.124 route-map nonat ip nat inside source static 10.1.1.24 126.96.36.199 route-map nonat ip nat inside source static 10.1.1.35 188.8.131.52 route-map nonat ip nat inside source static 10.1.1.67 184.108.40.206 route-map nonat ...
access-list 1 deny 10.1.1.22 access-list 1 deny 10.1.1.24 access-list 1 deny 10.1.1.35 access-list 1 deny 10.1.1.67 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 110 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255 access-list 110 permit ip 10.1.1.0 0.0.0.255 any ! ! ! route-map nonat permit 10 match ip address 110 !
My side of the tunnel is 10.1.1.0/24 and the other side of the tunnnel is 10.2.2.0/24
I had to create the "nonat" route-map and apply it the static NATs so that the NATs would not be applied to traffic going over the tunnel, and this works fine. Hosts that have a static NAT can get outside to the Internet because they are denied from the main NAT pool and are filtered through the nonat policy map.
My problem is that hosts that do not have a static NAT (and don't need one, frankly) can either route to the VPN tunnel or the Internet, but not both. As is, with the configuration above, if a host on the 10.1.1.x network that does not have a static NAT tries to access the Internet, that works fine but they cannot access the other side of the tunnel (10.2.2.0/24). But if I add the host to the access-list 1 deny then I can access the other side of the tunnel but not the Internet.
I hope I'm missing an obvious solution here but it's not occurring to me. I can't imagine this is going to require a static NAT for every host, because that's not feasible.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...