Hello,
i searched through the archives, but didn't find any similar example
I have a host 192.168.1.10 which I want to statically nat to adress A when accessing Internet. I also have an ipsec tunnel to another company. They need to access this host with address B, which is different then 192.168.1.10.
So I did something like this: ip nat inside source static 192.168.1.10 B route-map rmap_B ip nat inside source static 172.16.30.7 A route-map rmap_A
route maps match packets from 192.168.1.10 to remote networks, and to Internet anyway, when I do debug ip nat, then everything looks fine. seems like NAT works as it is supposed to host can reach Internet, and is reachable with it's internet address
the problem is with IPSec
Crypto map: crypto map cmap_1 1 ipsec-isakmp description Tunnel to X set peer X set transform-set ESP-3DES-SHA3 set pfs group2 match address acl_crypto_1
And acl_crypto_1 is: permit ip host B remote_network_address
Result : IPSec tunnel works. show cry isa sa, and show cry ipsec sa both show working connections
but....
packet from 192.168.1.10, translated to B do not enter the tunnel ! when I do show cry ipsec sa I see 'send errors' counter increasing when I do debug ip packet i see 'outside crypto map check failed'
Have anyone tried such configuration and might help me with this ?
regards