static nat and ipsec - outside crypto map check failed

Discussion in 'Cisco' started by xhon, Sep 20, 2006.

  1. xhon

    xhon Guest

    Hello,

    i searched through the archives, but didn't find any similar example

    I have a host 192.168.1.10 which I want to statically nat to adress A
    when accessing Internet.
    I also have an ipsec tunnel to another company. They need to access
    this host with address B, which is different then 192.168.1.10.

    So I did something like this:
    ip nat inside source static 192.168.1.10 B route-map rmap_B
    ip nat inside source static 172.16.30.7 A route-map rmap_A

    route maps match packets from 192.168.1.10 to remote networks, and to
    Internet
    anyway, when I do debug ip nat, then everything looks fine. seems like
    NAT works as it is supposed to
    host can reach Internet, and is reachable with it's internet address

    the problem is with IPSec

    Crypto map:
    crypto map cmap_1 1 ipsec-isakmp
    description Tunnel to X
    set peer X
    set transform-set ESP-3DES-SHA3
    set pfs group2
    match address acl_crypto_1

    And acl_crypto_1 is:
    permit ip host B remote_network_address


    Result :
    IPSec tunnel works.
    show cry isa sa, and show cry ipsec sa both show working connections

    but....

    packet from 192.168.1.10, translated to B do not enter the tunnel !
    when I do show cry ipsec sa I see 'send errors' counter increasing
    when I do debug ip packet i see 'outside crypto map check failed'

    Have anyone tried such configuration and might help me with this ?

    regards
    --
    Kuba
    xhon, Sep 20, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    2,524
  2. Scott Townsend
    Replies:
    4
    Views:
    2,631
    Walter Roberson
    Jun 7, 2006
  3. Jack
    Replies:
    0
    Views:
    671
  4. Replies:
    0
    Views:
    506
  5. Delija
    Replies:
    0
    Views:
    509
    Delija
    Jun 21, 2010
Loading...

Share This Page