Showing results for 
Search instead for 
Did you mean: 

Make traffic between IPSec end-points and Internet via Cisco CSR1000v


I made an IPsec tunnel between our CSR 1000v (AWS) and the LTE service provider router (ASR) and I can ping both sides of Tunnel with the following architecture:

           |<---> internet <---> web server
CSR 1000v: |GigabitEthernet1 (mapped to Elastic IP 54.154.54.AAA)
           |GigabitEthernet2 (private sub-net)
IPSec Tunnel | ASR: (mapped to Elastic IP 54.229.30.BBB) | Field Device

We need to access our web server with the public IP, and by setting the NAT I can access it (or any public IP address) from domain within range, where the NAT access list is set as:

CSR1000#show access-lists
Standard IP access list GS_NAT_ACL
10 permit, wildcard bits
Extended IP access list NAT-LAN
10 permit ip any

I need also to make a traffic between nodes behind the IPsec tunnel (10.0.16/22), so I extended the NAT-LAN access-lists to:

CSR1000#show access-lists NAT-LAN
Extended IP access list NAT-LAN
10 permit ip any
20 permit ip any

but I cannot ping the web server from the field device (or nodes behind the IPsec tunnel). Could you please le me know if I need to add/modify configuration in order to give an internet access to the devices in the field (or forward the traffic from IPSec nodes to internet)?

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers