Link to home
Start Free TrialLog in
Avatar of Gary4
Gary4Flag for United States of America

asked on

On a Cisco C1921, IOS 15.2, how to have a staticaly bound local inside IP talk on both a WAN an VPN interface.

Hi,

I have an inside static IP that I have setup to map to an outside IP address.  That seems to work. I also want the inside Ip to be able to talk over my VPN.  That part isn't working.  The vpn part was working before I defined the static NAT translation rule indicted below.

!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to184.170.93.12
 set peer 184.170.93.12
 set security-association lifetime seconds 28800
 set transform-set Colo 
 match address 100
!
!
interface GigabitEthernet0/0
 description Lan
 ip address 10.0.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN$ETH-WAN$
 ip address 184.170.93.96 255.255.255.128
 ip access-group MyFirewallIn in
 ip access-group MyFirewallOut out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.10.163 184.170.93.17   <==============================
ip route 0.0.0.0 0.0.0.0 184.170.93.1
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 deny   ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!

Open in new window


I'm not sure what other info is needed to figure this out.

Where do I need to look?
What have I got wrong?

You can see the inside and outside networks above.

The 10.0.0.0/24 is at the remote and of the VPN tunnel.

If it makes any difference I'm using Cisco Configuration Professional to set this up.

However, I also have HyperTerminal for things CCP can't do.
And I've been learning IOS along the way.
ASKER CERTIFIED SOLUTION
Avatar of Matt V
Matt V
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial