We have a number of tunnels needing to be configured for encryption of traffic destined for an internet range of addresses. These tunnels are "internal" in the sense that they traverse our MPLS network. Do we have any issue with terminating the tunnels on internal interfaces as opposed to external public MPLS facing interfaces? To add to it, the far end terminating IPsec device is an ASA which actually sits behind one of the MPLS routers.
For example: Router A internal network 192.168.1.0 needs to access internet address 220.127.116.11. IPsec configuration tells the router to run it through the tunnel which terminates on a remote head end ASA with an external facing interface to network 18.104.22.168 and an internal interface of 192.168.2.1. This ASA is behind Router B. Am I able to terminate tunnels on the internal interfaces of Router A and the ASA? Would NAT be an issue?
Internal 192.168.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 192.168.2.1<--ASA--> 22.214.171.124
Hope this makes some sense and I appreciate any help,
Ok, so now I have a completely separate issue. My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use.
object network ANNEX_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network XXXX_network_126.96.36.199
subnet 188.8.131.52 255.255.0.0
access-list TEST_ENCRYPTION_TO_ANNEX extended permit ip object XXXX_network_184.108.40.206 object ANNEX_10.1.1.0
ip access-list extended XXXX_VPN
permit ip 10.1.1.0 0.0.0.255 220.127.116.11 0.0.255.255 log
crypto map XXXX_CMAP 10 ipsec-isakmp
set peer [headend peer ip]
set transform-set XXXX_TSET
match address XXXX_VPN
encapsulation dot1Q 60
ip address 10.1.1.1 255.255.255.0
crypto map FDLE_CMAP