Cisco Site to Site VPN - ACL, NAT

Hello Experts,
we are having trouble with a site to site vpn. It is between an ASA and a cisco router. WE want the remote site to split traffic. Internet traffic just goes out normal, but internal company traffic goes through the VPN back to headquarters.

We can connect to the external interface on the remote site router successfully, but cant get to the local. (from hq)
Remote site users are getting to the internet fine.

Do we have an issue with a ACL or NAT?
Thanks!

Here is the config:



Current configuration : 5805 bytes
!

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!

!
no aaa new-model
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
!
multilink bundle-name authenticated
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate
 revocation-check none
 rsakeypair TP-self-signed
!
!
crypto pki certificate chain TP-self-signed-
 certificate self-signed 01

        quit
!
!

!
redundancy
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key vpn123 address 72.1.2.3
!
!
crypto ipsec transform-set tset esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 72.1.2.3
 set transform-set tset
 match address 110
!
!
!
!
!
!
interface GigabitEthernet0/0
 description  Inside Network
 ip address 10.1.59.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Internet
 ip address 3.4.5.6 255.255.255.252
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed auto
 crypto map vpn
!
interface Serial0/0/0
 no ip address
 ip nat outside
 ip virtual-reassembly in
 shutdown
 no fair-queue
!
ip forward-protocol nd
ip http server
no ip http secure-server
!

!
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 2.3.4.5
!
ip access-list standard EIGRP
 deny   0.0.0.0
 permit any
!

!
access-list 100 permit ip any any
access-list 110 permit ip 10.1.59.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 112 permit ip 10.1.59.0 0.0.0.255 any
access-list 112 deny   ip 10.1.59.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 113 permit ip host 10.1.59.0 any
access-list 120 permit esp any any
access-list 120 permit udp any any eq isakmp
access-list 120 permit tcp any any eq telnet
access-list 120 permit tcp any any eq 22
access-list 120 permit ip 10.0.0.0 0.255.255.255 10.1.59.0 0.0.0.255
access-list 120 permit icmp 10.0.0.0 0.255.255.255 10.1.59.0 0.0.0.255
access-list 120 permit icmp any any echo-reply
access-list 120 permit icmp any any time-exceeded
access-list 120 permit icmp any any packet-too-big
access-list 120 permit icmp any any traceroute
access-list 120 permit icmp any any unreachable
access-list 120 deny   ip any any log
!
!
!
!
route-map staticnat permit 10
 match ip address 113
!
route-map nonat permit 10
 match ip address 112
!

!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!

!
scheduler allocate 20000 1000
end

Router#
mis-Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
I would rework your NAT. Your deny statements in ACL 112 are messing thing up. Change them to permits and you'll do better.

I'm not sure if you're planning on doing more old-fashioned policy-based VPNs on this router in the future, but if you are, you might want to create a blanket NAT exception to avoid having to tweak it later. Something like this would do:

object-group network OG_RFC1918
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
!
ip access-list extended ACL_NAT
 deny ip object-group OG_RFC1918 object-group OG_RFC1918
 permit ip object-group OG_RFC1918 any
!
route-map RM_NAT_Internet
 match ip address ACL_NAT
!
ip nat inside source route-map interface GigabitEthernet0/1 overload
Jody LemoineNetwork ArchitectCommented:
Sorry... didn't look carefully the first time. The problem is actually in the order of entries in your 112 ACL. The second line is never being matched because the first line is catching everything from that source. Reverse the order and you should be fine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
I was late so I deleted my post - it was the same like Jody Lemoine second post (just longer - reason why I was late).
:)
But, one thing...
Why you use route-map for nat in this case?

ip nat inside source route-map nonat interface GigabitEthernet0/1 overload

I guess in this case it is not an issue at this moment, but...
you are using route-map to check access-list instead of check access-list directly

ip nat inside source list 112 interface GigabitEthernet0/1 overload

You are wasting router's CPU cycles for nothing. Save those CPU cycles for rainy days. :)
pgolding00Commented:
@Predrag: actually using the routemap method is correct, as technically deny statements in nat acl's were not supported in the past. this was stated in the nat config guide in versions 12.0 up to 12.4, presumably this is still the case.

that said,i have only once seen this cause a problem. and the incorrect order of statements in acl 112 is the problem here.
mis-Author Commented:
Thanks! They are sorting out some other hw issues, but i'm pretty sure you are correct.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.