The original post tells us that after the change that one device is behind a natted IP. But it does not tell us whether that nat is a static nat or a dynamic nat. If it is a static nat then the site to site should work if the other site changes their configuration to have the remote peer as the public IP which is natted to the router IP. If the nat is dynamic then a different solution is needed. The solution is normally to have the other router (not the one with the nat address) change its config to use a dynamic entry in the crypto map for the site to site vpn. Like Georg I am not familiar with the options available on the 500 series and so can not offer advise about the details of how to do this (or even whether this option is available on the 500 series).

HTH

Rick

Hi Richard,

Thanks for your answer.

As far as I saw, it is a static NAT. The link is one of those very common these days, which the ISP does a NAT of a public IP address. See below.

49.196.165.70 public IP(in ISP network) -> 192.168.225.1(ISP network) -> 192.168.1.1(my internal modem/router) -> 10.16.71.1 (my cisco router)

VPN - My cisco R1 - The one I have the public IP

interface Tunnel1

ip address 172.98.5.1 255.255.255.0

tunnel source FastEthernet0

tunnel destination 49.196.165.70

VPN - My cisco R2 - The new ISP

interface Tunnel1
ip address 172.99.5.2 255.255.255.0
tunnel source GigabitEthernet8
tunnel destination 49.255.170.111

I've been reading over the internet and it look that I need a static public IP address in both ends to make this S2S VPN to work. IS there maybe another trick I could try?

Thanks

Quick note: This is the debug I'm receiving on tunnel...

*Oct 12 02:27:40.115: Tunnel1: GRE/IP encapsulated 192.168.1.200->49.255.170.111 (linktype=7, len=83)

*Oct 12 02:27:40.167: Tunnel1: GRE/IP encapsulated 192.168.1.200->49.255.170.111 (linktype=7, len=68)

*Oct 12 02:27:41.167: Tunnel1: GRE/IP encapsulated 192.168.1.200->49.255.170.111 (linktype=7, len=68)

*Oct 12 02:27:42.103: Tunnel1: GRE/IP encapsulated 192.168.1.200->49.255.170.111 (linktype=7, len=241)

*Oct 12 02:27:42.103: Tunnel1: GRE/IP encapsulated 192.168.1.200->49.255.170.111 (linktype=7, len=241)

Hello,

I am not sure I understand your IP addressing:

49.196.165.70 public IP(in ISP network) -> 192.168.225.1(ISP network) -> 192.168.1.1(my internal modem/router) -> 10.16.71.1 (my cisco router)

Your SR500s on both sides need a public IP address on the outside interfaces in order to be able to establish a VPN connection. If your ISP changes the IP address on the outside interface, you need to reflect that change in the configuration of the router.

Since the 500 series is end of life/end of sale, it is kind of hard to find any documentation. I did find the document linked below: if you are using the Cisco Configuration Assistant, check the settings on page 5-2 (or post a screenshot of these settings)...

https://community.cisco.com/legacyfs/online/legacy/1/2/1/65121-UC500SR500.pdf

There are several things that are not clear about this environment. The original post described a site to site. Are we correct to understand this to be an ipsec site to site vpn? The partial config and the debug do not seem to show ipsec encryption. If it is ipsec could you give us more details from the config

Can you clarify what kind of debug this was? Was it debug ip packet or some other type of debug?

The partial config shows that the tunnel source is Gig8. The debug output shows that the source address is 192.168.1.200. Are we correct in assuming that Gig8 has address 192.168.1.200?

The R1 partial config shows the tunnel destination as 49.196.165.70. Can you get the ISP to verify whether or not they are translating  49.196.165.70 into 192.168.1.200? 

HTH

Rick