troubleshooting Question

On a Cisco C1921, IOS 15.2, how to have a staticaly bound local inside IP talk on both a WAN an VPN interface.

Avatar of Gary4
Gary4Flag for United States of America asked on
RoutersInternet Protocol SecurityNetwork Operations
1 Comment1 Solution494 ViewsLast Modified:
Hi,

I have an inside static IP that I have setup to map to an outside IP address.  That seems to work. I also want the inside Ip to be able to talk over my VPN.  That part isn't working.  The vpn part was working before I defined the static NAT translation rule indicted below.

!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to184.170.93.12
 set peer 184.170.93.12
 set security-association lifetime seconds 28800
 set transform-set Colo 
 match address 100
!
!
interface GigabitEthernet0/0
 description Lan
 ip address 10.0.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN$ETH-WAN$
 ip address 184.170.93.96 255.255.255.128
 ip access-group MyFirewallIn in
 ip access-group MyFirewallOut out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.10.163 184.170.93.17   <==============================
ip route 0.0.0.0 0.0.0.0 184.170.93.1
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 deny   ip 10.0.0.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!

I'm not sure what other info is needed to figure this out.

Where do I need to look?
What have I got wrong?

You can see the inside and outside networks above.

The 10.0.0.0/24 is at the remote and of the VPN tunnel.

If it makes any difference I'm using Cisco Configuration Professional to set this up.

However, I also have HyperTerminal for things CCP can't do.
And I've been learning IOS along the way.
ASKER CERTIFIED SOLUTION
Matt V

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros