l2l tunnel using policy-nat

Freddy Andersen · ‎06-26-2012

I'm pulling my hair our at this point so I'm hoping someone can see whats wrong... (4 weeks of cisco experience... )

I have a tunnel that I want looking like so:

/ --> boston tunnel

internal > NAT > External ip > internet >

\ --> chicago tunnel

This WAS working not sure why the tunnel does not get created now.. maybe I removed something that should not have been removed... ?

I have one more setup just like this going to a different static ip with a different policy and that one works....

any help is greatly appreciated.

object-group network netnumber-chicago

network-object host 65.111.11.204

network-object host 65.111.11.205

object-group network netnumber-boston

network-object host 65.222.11.84

network-object host 65.222.11.85

access-list youmailtp_splitacl standard permit host 65.222.11.85

access-list youmailtp_splitacl standard permit host 65.111.11.204

access-list youmailtp_splitacl standard permit host 65.111.11.205

access-list youmailtp_splitacl standard permit host 65.222.11.84

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-boston

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-chicago

access-list outside_cryptomap_40 extended permit ip telepacific-inside-network 255.255.254.0 object-group netnumber-chicago

access-list outside_cryptomap_40 extended permit ip host 66.11.22.139 object-group netnumber-chicago

access-list outside_cryptomap_50 extended permit ip telepacific-inside-network 255.255.254.0 object-group netnumber-boston

access-list outside_cryptomap_50 extended permit ip host 66.11.22.139 object-group netnumber-boston

static (inside,outside) 66.11.22.139 access-list netnumber-policy-nat

crypto ipsec transform-set NETNUMBER_TRANSFORM_SET esp-3des esp-sha-hmac

crypto map Outside_map 40 match address outside_cryptomap_40

crypto map Outside_map 40 set peer 65.111.22.81

crypto map Outside_map 40 set transform-set NETNUMBER_TRANSFORM_SET

crypto map Outside_map 50 match address outside_cryptomap_50

crypto map Outside_map 50 set peer 65.222.22.33

crypto map Outside_map 50 set transform-set NETNUMBER_TRANSFORM_SET

sholiday666 · ‎06-26-2012

Is that all your site to site VPN entries? How about your:

tunnel-group 65.111.22.81 type ipsec-l2l

tunnel-group 65.111.22.81 ipsec-attributes

pre-shared-key *

tunnel-group 65.222.22.33 type ipsec-l2l

tunnel-group 65.222.22.33 ipsec-attributes

pre-shared-key *

?

Freddy Andersen · ‎06-26-2012

group-policy site2site internal

group-policy site2site attributes

vpn-idle-timeout none

vpn-filter value youmailtp_splitacl

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 65.111.22.81 type ipsec-l2l

tunnel-group 65.111.22.81 general-attributes

default-group-policy site2site

tunnel-group 65.111.22.81 ipsec-attributes

pre-shared-key *

tunnel-group 65.222.22.33 type ipsec-l2l

tunnel-group 65.222.22.33 general-attributes

default-group-policy site2site

tunnel-group 65.222.22.33 ipsec-attributes

pre-shared-key *

Freddy Andersen · ‎06-26-2012

ok so the two tunnels are now up. sh cry isa sa shows both peers. however if I do sh cry ips sa there is no traffic in the en/decap section so I'm not using the tunnels...

Looking at my config I can't figure out how one of my internal boxes will use this tunnel so I thought I needed to change this:

access-list netnumber-policy-nat extended permit ip host 66.11.22.139 object-group netnumber-boston

to

access-list netnumber-policy-nat extended permit ip 10.21.30.0 255.255.254.0 object-group netnumber-boston

but when I tried to add the static it bomed out with a overlaping ip message...

Anyone have any ideas...