Hi Rick, OH :-/  That's why there is only a route map on a RTR as follows. 

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

FOLLOWS HERE

# ip nat source route-map ...

Then it does:

# ip nat source route-map MYRMAP interface

or

# ip nat source route-map MYRMAP pool

I am not clear about this statement

But why does the ipsec tunnel come out the other end with a SOURCE IP ADDRESS of the outside address instead of the originating private 192.168.176.x address?

My best guess at this point is that there is an issue at the other peer and it is doing address translation on the vpn traffic where the vpn traffic should be exempted from translation. Perhaps you could post from the remote peer the crypto map, the acl used to identify traffic for encryption, and any of the config for address translation?

HTH

Rick

I had the redundancy in because I was going to lock it down to tcp only.  But I never got this to work properly on the 2921 so I got it working on an ASA.  So I guess that I'm stuck with an ASA, I prefer routers.  ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel :-\

Perhaps I am not understanding correctly what you are saying here

ASA will not ping through a tunnel, it has to see "interesting" traffic before it brings up the tunnel :-\

It is a common behavior on both router and ASA that it needs to see "interesting" traffic to bring up the tunnel. Perhaps you are referring to the fact that the router has the ability to ping and to specify the source address of the ping?

HTH

Rick

Yes that has to be it.  I've put "management-access inside" on both ASAs connect with an L3 tunnel and still can't ping through the tunnel from LAN to LAN.  Without being able to source the ping, I'm guessing that it should be assuming the inside address?  At least that is what shows up in "sh arp" inside addresses.  I can't even ping a PC or a switch at the distant end from the ASA.  I could always to that on a RTR.....

I suspect that there are several issues but I did not look very much past the first one that I found. Network 192.168.172.0 is defined as a locally connected subnet of both the ASA and the router. The ASA interface G0/1 and router interface G0/1.172 are configured as being in 192.168.172.0.

HTH

Rick

A RTR will ping the other router through the tunnel even if there is not PC hanging off the end.  I didn't know that a router is building it each time when traffic is presented.  I just looked like it was up all the time.  There are no ACLs on the interfaces so sourcing is not needed. 

FROM 192.168.175.1 outside 192.168.168.235

remotertr175#ping 192.168.176.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr175#ping 192.168.177.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.177.1, timeout is 2 seconds:
!!!!!
remotertr175#sh cry ipsec sa

local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.176.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.236

local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)

local crypto endpt.: 192.168.168.235, remote crypto endpt.: 192.168.168.237

Still not entirely sure what you are looking to do but have a look at this thread for an example of using a route map with a static NAT and a VPN tunnel - 

https://community.cisco.com/t5/routing/ipsec-with-ip-nat-inside-source-static/td-p/2689248

there is no reason why it would not work on your router as far as I know. 

Jon

Hi John,

I followed your example.

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

But I realized that what I'm doing is Port Mapping an http call from the outside external WAN address and translating it to an inside host address and port.  Looks like route-map is only available for inside to outside.  There is an "add-route" for outside to inside.

So at first I tried this: ==========================================

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0

route-map NO_NAT_192.168.177.0 deny 10
match ip address DENY_NAT_192.168.177.0

ip access-list extended DENY_NAT_192.168.177.0
deny ip 192.168.177.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.177.0 0.0.0.255

Realized my mistake and tried this: ====================================

remotertr175(config)# ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 route-map NO_NAT_192.168.177.0 ?
% Unrecognized command

remotertr175(config)#$ ip nat outside source static tcp 192.168.175.177 80 192.168.168.235 8888 ?
add-route Add a static route for outside local address
extendable Extend this translation when used
no-alias Do not create an alias for the local address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
vrf Specify vrf
<cr>

remotertr175(config)#ip nat outside source static tcp 192.168.175.177 80 192.$

Static NAT works in both directions so if the inside IP is 192.168.175.3 and the outside IP is 192.168.168.235 then "ip nat inside" is the correct syntax. 

Note the above IPs would be the destination IPs in the packet ie. the destination IP on the outside would be 192.168.168.235 port 8888 and you would be translating this to the destination IP on the inside of 192.168.175.3 port 80. 

Jon

I gave it my best shot and it did not work, there are no hits through the NAT at port 8888 from an outside PC showing in a tcpdump on the http server at 192.168.175.3.  Here is the NAT.  There must be something wrong with the NAT.... 

ip nat inside source static tcp 192.168.175.3 80 192.168.168.235 8888 route-map NO_NAT_192.168.176.0

route-map NO_NAT_192.168.176.0 deny 10
match ip address DENY_NAT_192.168.176.0

ip access-list extended DENY_NAT_192.168.176.0
deny ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
deny ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.2

Here is a tcpdump through the tunnel to 192.168.175.3 80 from 192.168.176.4 

root@studio1:/home/vbox# tcpdump -n | grep 192.168.176
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), capture size 262144 bytes
10:43:33.948698 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [S], seq 1417375719, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
10:43:33.948766 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [S.], seq 427422819, ack 1417375720, win 28120, options [mss 1406,nop,nop,sackOK,nop,wscale 7], length 0
10:43:33.949914 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 1, win 16520, length 0
10:43:33.950376 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 1:455, ack 1, win 16520, length 454: HTTP: GET / HTTP/1.1
10:43:33.950469 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 455, win 229, length 0
10:43:33.953324 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1:1407, ack 455, win 229, length 1406: HTTP: HTTP/1.1 200 OK
10:43:33.953337 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], seq 1407:2813, ack 455, win 229, length 1406: HTTP
10:43:33.953341 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 2813:3478, ack 455, win 229, length 665: HTTP
10:43:33.957883 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3478, win 16520, length 0
10:43:33.970768 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [P.], seq 455:866, ack 3478, win 16520, length 411: HTTP: GET /icons/ubuntu-logo.png HTTP/1.1
10:43:33.971458 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [P.], seq 3478:3658, ack 866, win 237, length 180: HTTP: HTTP/1.1 304 Not Modified
10:43:34.171807 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3658, win 16475, length 0
10:43:38.958501 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [F.], seq 3658, ack 866, win 237, length 0
10:43:38.959965 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [.], ack 3659, win 16475, length 0
10:43:38.960024 IP 192.168.176.4.60008 > 192.168.175.3.80: Flags [F.], seq 866, ack 3659, win 16475, length 0
10:43:38.960051 IP 192.168.175.3.80 > 192.168.176.4.60008: Flags [.], ack 867, win 237, length 0

--------------------------================================----------------------------

Point of interest, I had a relic L3 tunnel setup on the 2921 for 192.168.172.0 and noticed that "cry ipsec sa" was showing something up - I happened to reuse 192.168.172.0 on an ASA 5520 which is also connect to the "outside" switch.  So I put in the mirror L3 tunnel on the ASA and guess what?  The tunnel is up (after I added the route statement :-)).

Sorry still looking into this....

--------------------------================================----------------------------