static nat and ipsec - outside crypto map check failed

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!


i searched through the archives, but didn't find any similar example

I have a host which I want to statically nat to adress A
when accessing Internet.
I also have an ipsec tunnel to another company. They need to access
this host with address B, which is different then

So I did something like this:
ip nat inside source static B route-map rmap_B
ip nat inside source static A route-map rmap_A

route maps match packets from to remote networks, and to
anyway, when I do debug ip nat, then everything looks fine. seems like
NAT works as it is supposed to
host can reach Internet, and is reachable with it's internet address

the problem is with IPSec

Crypto map:
crypto map cmap_1 1 ipsec-isakmp
 description Tunnel to X
 set peer X
 set transform-set ESP-3DES-SHA3
 set pfs group2
 match address acl_crypto_1

And acl_crypto_1 is:
permit ip host B remote_network_address

Result :
IPSec tunnel works.
show cry isa sa, and show cry ipsec sa both show working connections


packet from, translated to B do not enter the tunnel !
when I do show cry ipsec sa I see 'send errors' counter increasing
when I do debug ip packet i see 'outside crypto map check failed'

Have anyone tried such configuration and might help me with this ?


Site Timeline