10-28-2018 01:57 PM - edited 03-05-2019 11:00 AM
Hello friends,
Recently i configured Site to Site IPSEC VPN between my ISR4331 router on the main office and a Fortigate unit on one of our branches.
The connection looks fine, but the only problem i'm facing with is to access both internal LAN, while ping to the D.G is working just fine.
When inspecting the configuration on the Cisco side, i discovered a few configurations that relate to the problem:
1. ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/0/1 overload
2. route-map WAN2-NAT permit 10
match ip address EXIT-WAN2
3. ip access-list extended EXIT-WAN2
permit ip host 10.10.10.32 any
permit ip host 10.10.10.50 any
When removing the route map, pings from both sides can reach other's side internal LAN, but some of the ip addresses cant exit from WAN2 anymore. since i need those specific ip addresses to exit from WAN2 and not WAN1 on other physical port, i cant remove it.
Any suggestions for configurations change?
Thank you in advance
10-28-2018 03:22 PM - edited 10-28-2018 03:23 PM
I am assuming you want the traffic across the IPSEC tunnel NOT to be natted.
so
above your rule:
ip nat inside source route-map WAN2-NAT interface GigabitEthernet0/0/1 overload
put a more specific rule that does a no-nat, ie. source and destination remain original and not natted, stick this rule above your overload rule and it should get preference.
10-28-2018 08:41 PM
10-29-2018 01:11 AM
Thank you for your reply Francesco!
Your suggestion did worked for me.
Maybe its because i'm not specialist on this section of Cisco, but i left with wondering - if i deny local subnet from remote subnet, how come the connection now works? it should deny and not allow, is it?
Thank you again
11-01-2018 06:54 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide