Here it is.

Hi,

  Please explain a bit more about your question. "but I am unable to connect to the external address of the remote sites from a computer within the 2921's local network."  What does it mean?

  Do you want to apply "crypto map 4400" on Gig0/1?

Toshi

The 2921 is at our main location. It has dynamic nat configured to use gi0/1 for internet access. I then have the static routes to access the four other offices through the second wan interface. If I try to ping or ssh the external ip of another location from a computer within the main location's network, it fails. The router can't nat my computer on the second wan connection because nat is configured for that interface, therefore it can not exchange information between my computer and the external ip of the remote location.

Hope that's a little clearer.

Hi,

  Seems you do not need to use NAT on Gig0/2 interface. Seems you are using DMVPN for branch sites. You just want to send traffic through the tunnel on Gig0/2. What do you want NAT to do for this interface? Please clarify.

Just try this for testing.

mkp(conf)#Interface GigabitEthernet0/2

mkp(conf-if)#no ip nat outside

     We have to make sure that the tunnel is up when testing connections to branch sites.  

HTH,

Toshi

My issue is that if the vpn tunnel goes 'down', I am unable to access the branch routers for diagnostics. One site also has a modem in front of the vpn router with a web interface that I am unable to access as well.

Hi,

    Sorry for my late reply. You mean you cannot connect to the router or modem when the tunnel is down. When the tunnel is down, you want to use gig0/1(internet) to remote to the router/modem. Right?  When the tunnel is down, Is gig0/2 down as well?  What is the public ip address of modem you want to connect?  Please clarify the routes below.

ip route 50.xxx.xxx.226 255.255.255.255 GigabitEthernet0/2
ip route 71.xxx.xxx.6 255.255.255.255 GigabitEthernet0/2
ip route 76.xxx.xxx.243 255.255.255.255 GigabitEthernet0/2
ip route 76.xxx.xxx.210 255.255.255.255 GigabitEthernet0/2

   I  

HTH,

Toshi

You are correct, I can not connect to the router or modem when tunnel is down. When the tunnel is down, the traffic can go through either interface, as long as it works. Gig0/2 usually does not go down, it is often the remote sites that have issues. The included "ip route" commands are the four remote branch offices with cisco dmvpn routers. I would need to connect to any of them if the tunnels were down.

Thanks.

Hi,

   Well, I think I might understand what you are trying to do.  Please try this for testing.

#Assuming that when the tunnel is down , gig0/2 is working fine and the list of public ip addresses below are reachable.

#Assuming that the following IP addresses are what you want to connect when the tunnel is down.

50.xxx.xxx.226 255.255.255.255 
71.xxx.xxx.6 255.255.255.255
76.xxx.xxx.243 255.255.255.255 
76.xxx.xxx.210 255.255.255.255 

#####Configuration#####

ip access-list extend FOR-MGNT-OUT-G0/2

permit ip 10.0.0.0 0.0.0.255 host 50.xxx.xxx.226

permit ip 10.0.0.0 0.0.0.255 host 71.xxx.xxx.6

permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.243

permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.210

!

route-map SDM_RMAP_3 permit 1
match ip address 110
match interface GigabitEthernet0/1
!

route-map OUT_GIG_0_2 permit 1
  match ip address FOR-MGNT-OUT-G0/2
  match interface GigabitEthernet0/2
!
ip nat inside source route-map OUT_GIG_0_2 interface GigabitEthernet0/2 overload

!

interface g0/2

ip nat outside

!

HTH,

Toshi

Sorry for taking so long, I had some other things to take care of first.

I applied the above configuration and it appears to be working as expected. I can remotely manage the branches using their external IPs. The tunnel has not gone down yet, so I haven't been able to truely test it, but thank you very much.