We have a Site-to-Site VPN that is securing all traffic to/from 10.160.8.0/24 to/from 10.0.0.0/8. This is for everything - including Internet traffic. However, there is an exception (of course)...
The part I cannot get working is if traffic comes from the VPN (10.0.0.0/8) to 10.160.8.5 (on 80 or 443) then the return traffic must go back over the VPN. BUT, if the 80 or 443 traffic comes from anyplace else (Internet via X.X.X.X that gets translated to 10.160.8.5), then it needs to be NATed back out to the Internet via Gig2.
I have the following configuration (tried to just have the neccessarry lines)...
ip address Y.Y.Y.Y 255.255.255.0 !! the X.X.X.X and Y.Y.Y.Y are in the same subnet
ip address X.X.X.X 255.255.255.0 secondary
ip nat outside
crypto map ipsec-map-S2S
encapsulation dot1Q 2020
ip address 10.160.8.1 255.255.255.0
ip nat inside
ip nat inside source list NAT-Outbound interface GigabitEthernet2 overload
With the above configuration, we can get to 10.160.8.5 from the Internet but cannot get to it over over the VPN tunnel (from 10.200.0.0/16). If I remove the two "ip nat inside source static..." commands, then the opposite happens - I can then get to 10.160.8.5 from he VPN tunnel but I now cannot get to it from the Internet.
How can I get to it from both? It seems that when I hit the first NAT statement (Gig2 overload) that the "deny" in the NAT-Outbound ACL punts me out of that NAT statement. It then processes the next NAT statement (one of the "ip nat inside source static...") but the "deny" in the NO-NAT ACL does not seem to punt me out of that NAT statement. That is my theory anyway (maybe something else is going on?)
Should this work like this or am I not understanding something correctly? This is on a Cisco Cloud Services Router (CSR 1000v).
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig...
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.
Q. I have a Cisco Appl...
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA...