but why 172.55/16 can bring up the tunnel when i try to ping to 10.66/16, without the additional lines you suggested ?

and the below lines already exempt the traffic from being NATted

ip access-list extended Nat-Add

deny   ip any 10.0.0.0 0.0.0.255 (NO MATCHES)

deny   ip any 172.55.0.0 0.0.255.255 (xxx matches)

btw, 10.55/16 default gateway is on 1800, then 1800 will forward the traffic to 2800, then it should pass the traffic to the tunnel.. but it doesnt..

From what I can tell pings sourced from 172.55.0.0/16 destined for 10.66.0.0/16 are matching the first NAT exemption statement (deny   ip any 10.0.0.0 0.0.0.255). I don't have a good explaination as to why traffic from 10.55.0.0/16 is not being exempt, but my guess is that it has something to do with the fact that 10.66.0.0/16 and 10.55.0.0/16 are both subnets of 10.0.0.0/8.

The existing lines will NOT exempt the traffic you are attempting to pass from being NAT'd (as indicated by your test results). They WILL exempt traffic that matches the ACL statements though (i.e. any traffic destined for 10.0.0.0/8 or destined for 172.55.0.0/16).

On a side note, the lines I suggested would not be additional, but replacements for the existing exemption statements.

Alternatively you can use "debug ip nat" to see how traffic is (or isn't) NAT'd.

Hopefully that was a little bit clearer.

added the 2 lines, but still no matches..

did a debug ip nat, these networks are not being natted

i did a traceroute from 1800 to 10.66/16 from 10.55 interface, it seems that it will pass to 2800 then to 3750 and then back to 2800.

im not sure its the routing that causing this.. or the NAT .. as the traffic did get forwarded to 2800, but it just handle as normal packet and route to 3750 and not to the tunnel..

They aren't being NAT'd after you added the lines I suggested? If so, that's good.

Can you provide "sh ip route" from the 1800, 2800 and 3750?

actually after i added the 2 additional line, 172.55/16 cant reach to 10.66/16, just notice when i ping again..

1800

1800#show ip route static

     172.55.0.0/16 is variably subnetted, 2 subnets, 2 masks

S       172.55.0.0/16 [1/0] via 172.55.255.1

     10.0.0.0/8 is variably subnetted, 8 subnets, 5 masks

S       10.66.0.0/16 [1/0] via 172.55.255.1

S*   0.0.0.0/0 [1/0] via 225.253.110.1

1800#

2800

2800#sh ip route static

     172.55.0.0/16 is variably subnetted, 5 subnets, 3 masks

S       172.55.0.0/16 [1/0] via 172.55.253.12

     10.0.0.0/12 is subnetted, 1 subnets

S       10.0.0.0 [1/0] via 172.55.255.254

S*   0.0.0.0/0 [1/0] via 172.55.253.4

2800#

3750

3750#sh ip route vrf 172-55 static

S*   0.0.0.0/0 [1/0] via 172.55.253.9

3750#sh ip route vrf Public static

     172.55.0.0/16 is variably subnetted, 2 subnets, 2 masks

S       172.55.0.0/16 [1/0] via 172.55.253.1

S    10.0.0.0/8 [1/0] via 172.55.253.1

     225.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

S       225.253.96.144/29 [1/0] via 172.55.253.1

S*   0.0.0.0/0 [1/0] via 225.253.110.1

3750#

Just noticed the route map at the end of the config of the 2800 which also uses the Nat-Add ACL, not sure what its purpose is, move back to your original statements in the ACL. I'm having trouble wrapping my head around the routing here -- thoroughly confused by what you are trying to accomplish.

Walking through the routing from the 1800, the route for 10.66.0.0/16 points to 172.55.255.1 which doesn't appear on any of your other equipment -- does that seem correct?

sorry my fault, 172.55.255.1 supposed to be in 2800 fa0/0 (removed the hsrp configs for easy viewing) below are the interfaces ip address..

interface FastEthernet0/0

ip address 172.55.255.1 255.255.255.0

duplex auto

speed auto

interface FastEthernet0/1.997

encapsulation dot1Q 997

ip address 172.55.253.9 255.255.255.248

ip nat inside

ip virtual-reassembly

ip policy route-map Nat-Add

interface FastEthernet0/1.998

encapsulation dot1Q 998

ip address 172.55.253.1 255.255.255.248

ip nat outside

ip virtual-reassembly

crypto map vpn-dynamic

im having trouble understanding the exsiting configs as well..as im being told to add vpn configs to bring up the tunnel.. other configs cant be removed..

That makes more sense. I'm not getting consistent results in my lab following the same guidelines as your configs. (When the crypto map is bound to Lo0 the tunnel will come up but NO traffic will pass). Lets try from a little bit different approach...

With your original configs:

You mentioned previously that you could ping 10.66.0.0/16 from 172.55.0.0/16, when doing so do you see both the encaps and decap counters increment under "sh cry ipsec sa"?

When pinging 10.66.0.0/16 from 10.55.0.0/16, do you see the encaps and/or decaps increment?

172.55/16 to 10.66/16 => yes the counters increased

10.55/16 to 10.66/16 => nope, counter still 0 and doest bring up the tunnel..

When you are pinging from those networks what interfaces or addresses are you sourcing from?

Sent from Cisco Technical Support iPhone App

im pinging from a PC on 10.55/16 and 172.55/16 respectively..not from the router interface..

And those addresses would be...?

Sent from Cisco Technical Support iPhone App

172.55.4.121 and 10.55.0.133