In article , colin wrote: :> access-list nonat_acl permit ip 176.x.x.0 255.255.0.0 host X.Y.Z.Z :> access-list nonat_acl permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 0.0.255.255 :> nat (inside) 0 access-list nonat_acl
Did I really write X.Y.Z.Z 0.0.255.255 ?? Ah yes, I really did... I copied from the original posting. Very likely that second line should read
access-list nonat_acl permit ip 10.x.x.0 255.255.0.0 X.Y.Z.Z 255.255.0.0
:what about the decision witch vpn tunnel to use in a such a config? it does :not make sense for me, since you define witch ips should be taking witch :tunnel in this context or not...? :if you define only one, where are the packets send to? to witch site?
nat (inside) 0 access-list nonat_acl does not directly influence the choice of VPN tunnel. All it does is say which flows will have NAT turned off.
Selection of VPN tunnel is by matching the *after*-NAT addresses against the crypto map match address list. The list with the lowest crypto policy number is looked at first; if there is no match there, the next lowest is looked at and so on... [though if there is any overlapping between them such that the policy order matters, you are very very likely going to have mysterious VPN problems!]