Workaround: Ensure IPsec tunnel is up while NAT is being used.
Mar 5, 2010 1:27 PM in response to: toor
Re: site-to-site vpn failed… tunnels are down…Pls enlighten me.
Yes, I agree that doing the configuration in CLI makes me understand better. Haha. Thanks
Btw IPsec vpn does not seem to work well with NAT. I tested in my lab and found that extended ping can reach the peer router’s inside interface but extended ping drops when it is attempting to reach the host. The tunnel is down while NAT is enabled, and after I disabled the NAT the tunnel is up again….
So how am I going to make use of vpn to route from one site to another site using my existing broadband internet connection? How my inside local going to reach the outside local network of the remote site?
Mar 5, 2010 1:48 PM in response to: cyruslok
Re: site-to-site vpn failed… tunnels are down…Pls enlighten me.
The packets first go throught nat before checking with crypto map. This is why your crypto acl is no longer match the packets. You have to exclude your vpn traffic from being natted. you can use extended acls in your nat setup to do that. Ex:
ip access-list ext NAT_ACL
deny ip 10.0.0.0 0.0.0.255 192.168.127.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
Regards,
Toor
cyruslab 