Impossible to pass traffic through the VPN tunnel

Similar Questions

• Problem passing traffic through the VPN tunnel

  With well over 150 VPN lan-to-lan tunnels configured, I can usually get tunnels upward. However, this one is stumping me, unless the ISP is to give false information. Using a router Cisco 871 on-site a Cisco 3005 concentrator in my data center, I have set up my tunnel. The tunnel will go up but won't traffic. I am sure that the configurations on both devices are correct because I use a lot of "cut-and - paste." So, the only question seems to be the modem/router provided by your ISP. Usually, when this happens, the problem is with NAT enabled on their equipment. According to them, that it is not enabled on their NAT router. Where can else I check? Any ideas?

  Check access lists and a static route

  Try these links: >

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1e4.html#wp999593

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_tech_note09186a00800949c5.shtml

• Send all traffic through the vpn tunnel

  Does anyone know how to send all traffic through the tunnel vpn on both sides?  I have a server EZVpn on one side and one EZVpn client on the other.  I'm not natting on each side.  I use the value default 'tunnelall' for the attributes of group policy.  On the client side all traffic, even if not intended for the subnet of the side server, seems to pass through the tunnel.  But if I ping the side server, the same rules don't seem to apply.  Traffic destined for rates aside customer through the tunnel, but the traffic that is not pumped on the external interface in the clear.  That's not cool.

  Hello

  Clinet traffic to server through tunnel, that's right, right?

  Traffic from server to client through tunnel, but the rest of the traffic is not, no?

  This works as expected because in ezvpn, politics of "tunnel all ' is for traffic is coming from the client., do not leave the server.

  Side server, customer traffic will pass through tunnel, the rest used.

  Sian

• No traffic through the VPN tunnel but at the same time

  Hey everybody,

  Good enough at the end of my VPN configuration but I have a question. The VPN connection is established and the remote computer can set up a VPN with my router (phases 1 and 2 are ok) but I can't ping all devices on both sides. I think it might be something about the acl. I created an acl that I linked with my group of vpn, what should I do something with the card?

  Here is the configuration of the router

  AAA new-model

  !

  !

  local AuthentVPN AAA authentication login

  local AuthorizVPN AAA authorization network

  !

  AAA - the id of the joint session

  clock timezone GMT 1 0

  clock summer-time recurring GMT

  !

  IP cef

  !

  DHCP excluded-address IP 192.168.0.1 192.168.0.99

  !

  Authenticated MultiLink bundle-name Panel

  !

  VPDN enable

  !

  VPDN-group MyGroup

  !

  !

  model virtual Network1

  !

  username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  !

  redundancy

  !

  crypto ISAKMP policy 1

  BA aes 256

  preshared authentication

  Group 2

  life 3600

  !

  ISAKMP crypto client configuration group myVPN

  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx key

  DNS 192.168.0.254

  pool IPPoolVPN

  ACL 100

  !

  !

  Crypto ipsec transform-set esp - aes esp-sha-hmac T1

  tunnel mode

  !

  !

  !

  crypto dynamic-map 10 DynMap

  game of transformation-T1

  market arriere-route

  !

  !

  list of authentication of crypto client myMap AuthentVPN map

  card crypto myMap AuthorizVPN isakmp authorization list

  client configuration address map myMap crypto answer

  card crypto myMap 100-isakmp dynamic ipsec DynMap

  !

  the Embedded-Service-Engine0/0 interface

  no ip address

  Shutdown

  !

  interface GigabitEthernet0/0

  no ip address

  automatic duplex

  automatic speed

  PPPoE enable global group

  PPPoE-client dial-pool-number 1

  No mop enabled

  !

  interface GigabitEthernet0/1

  LAN description

  no ip address

  automatic duplex

  automatic speed

  No mop enabled

  !

  interface GigabitEthernet0/1.1

  LAN description

  encapsulation dot1Q 1 native

  IP 192.168.0.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  IP tcp adjust-mss 1452

  !

  interface Dialer1

  MTU 1492

  the negotiated IP address

  IP access-group RESTRICT_ENTRY_INTERNET in

  NAT outside IP

  IP virtual-reassembly in

  encapsulation ppp

  Dialer pool 1

  Dialer-Group 1

  PPP authentication pap callin

  PPP chap hostname xxxx

  PPP chap password 0 xxxx

  PPP pap sent-name of user password xxxxx xxxx 0

  crypto myMap map

  !

  IP pool local IPPoolVPN 192.168.10.0 192.168.10.100

  IP forward-Protocol ND

  !

  IP http server

  23 class IP http access

  local IP http authentication

  IP http secure server

  IP http timeout policy slowed down 60 life 86400 request 10000

  !

  The dns server IP

  IP dns primary GVA. SOA INTRA NS. GUAM INTRA [email protected] / * / 21600 900 7776000 86400

  IP nat inside source list 10 interface Dialer1 overload

  overload of IP nat inside source list 11 interface Dialer1

  overload of IP nat inside source list 20 interface Dialer1

  overload of IP nat inside source list 30 interface Dialer1

  overload of IP nat inside source list 110 interface Dialer1

  IP route 0.0.0.0 0.0.0.0 Dialer1

  Route IP 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1

  IP route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2

  !

  RESTRICT_ENTRY_INTERNET extended IP access list

  TCP refuse any any eq telnet

  TCP refuse any any eq 22

  TCP refuse any any eq www

  TCP refuse any any eq 443

  TCP refuse any any eq field

  allow udp any any eq 50

  allow an ip

  !

  Dialer-list 1 ip protocol allow

  !

  !

  SNMP - server RO G community

  public RO SNMP-server community

  entity-sensor threshold traps SNMP-server enable

  access-list 10 permit 192.168.0.0 0.0.0.255

  access-list 11 permit 192.168.1.0 0.0.0.255

  access-list 20 allow 192.168.2.0 0.0.0.255

  access-list 30 allow 192.168.3.0 0.0.0.255

  access-list 100 permit ip 0.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

  access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

  access ip-list 110 permit a whole

  I don't know if it useful, but here is the view the crypto ipsec command his:

  Interface: Dialer1

  Tag crypto map: myMap, local addr 213.3.1.13

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.10.12/255.255.255.255/0/0)

  current_peer 109.164.161.35 port 49170

  LICENCE, flags is {}

  #pkts program: 5, #pkts encrypt: 5, #pkts digest: 5

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  local crypto endpt. : 213.3.1.13, remote Start crypto. : 109.164.161.35

  Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

  current outbound SPI: 0x54631F8B (1415782283)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  SPI: 0x8C432353 (2353210195)

  transform: aes - esp esp-sha-hmac.

  running parameters = {Tunnel UDP-program}

  Conn ID: 2033, flow_id: VPN:33 on board, sibling_flags 80000040, crypto card: myMap

  calendar of his: service life remaining (k/s) key: (4212355/1423)

  Size IV: 16 bytes

  support for replay detection: Y

  Status: ACTIVE (ACTIVE)

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  SPI: 0x54631F8B (1415782283)

  transform: aes - esp esp-sha-hmac.

  running parameters = {Tunnel UDP-program}

  Conn ID: 2034, flow_id: VPN:34 on board, sibling_flags 80000040, crypto card: myMap

  calendar of his: service life remaining (k/s) key: (4212354/1423)

  Size IV: 16 bytes

  support for replay detection: Y

  Status: ACTIVE (ACTIVE)

  outgoing ah sas:

  outgoing CFP sas:

  And on the side of the customer, when I go to the status of--> statistics, all packages have been circumvented, nobody is encrypted

  Thanks for your help!

  Sylvain,

  Let me explain again:

  IP nat inside source list 10 interface Dialer1 overload

  overload of IP nat inside source list 110 interface Dialer1

  Here you are from two ACL, but they are the same with the difference, that NAT 10 110 also but WITHOUT user VPN and everything inside. Problem is that 10 matches first, if the connection will not work. You can disable entry NAT with 10 110 because that will also:

  no nat ip inside the source list 10 interface Dialer1 overload

  That should be enough.

  Michael

  Please note all useful posts

• How to send all traffic through the VPN, RV082 material v3

  Hello

  I found this guide to send all traffic to RV042 branch to the RV082 of central office:

  https://supportforums.Cisco.com/servlet/JiveServlet/downloadBody/10261-102-1-22927/Small_Business_router_tunnel_Branch_to_Main.doc

  But this guide is for the material of v2. I tried and did not work, so I wonder if there are new modules for hardware v3 (firmware v4.2)

  I have a RV042 brach office connected through the VPN Tunnel work to a central office RV082. I want to route all traffic

  Office of brach in the RV082 from the central office.

  Thank you very much

  Oliver

  Hi Oliver, this is called esp wildcard forwarding (full tunnel).

  Here are a few useful topics

  https://supportforums.Cisco.com/message/3766661

  https://supportforums.Cisco.com/message/3816181

  -Tom
  Please mark replied messages useful

• Go simple traffic over the VPN tunnel

  Hi Pros,

  We have a problem with the traffic through the VPN. Specific subnets is not able to reach a specific HOST in the HQ, however, the host in the HQ can reach this subent on the remote database. Interresting to traffic to the vpn are mirrored on the other. Here is the partial config of the remote vpn router.

  crypto ISAKMP policy 10
  BA 3des
  preshared authentication
  Group 2
  ISAKMP crypto key mypubkey9 address 210.199x.2xx.xx
  !
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac vpn series
  !
  tunel_traffic 50 ipsec-isakmp crypto map
  the value of 210.199x.2xx.xx peer
  Set security-association second life 1440
  transform-set vpn - Set
  PFS group2 Set
  match address remote-int-traffic
  !
  !
  !
  !
  Null0 interface
  no ip unreachable
  !
  interface FastEthernet0/0
  IP 1.1.1.3 255.255.255.248
  IP virtual-reassembly
  route IP cache flow
  Speed 100
  full-duplex
  No mop enabled
  !
  interface FastEthernet0/1
  IP 10.25.24.2 255.255.255.0
  NAT outside IP
  inspect the SDM_LOW over IP
  IP virtual-reassembly
  Speed 100
  full-duplex
  No mop enabled
  tunel_traffic card crypto
  !
  IP route 0.0.0.0 0.0.0.0 10.25.24.2
  IP route 1.0.10.0 255.255.255.0 210.199x.2xx.xx (public IP address of the router vpn HQ)
  IP route 4.0.x.0 255.255.255.0 210.199x.2xx.xx
  IP route 4.0.15.11 255.255.255.255 210.199x.2xx.xx (cannot reach this hot HQ)
  IP route 10.254.0.0 255.255.255.0 210.199x.2xx.xx
  IP route 10.254.254.56 255.255.255.255 210.199x.2xx.xx
  !

  distance-int-traffic extended IP access list
  permit ip host 10.254.254.56 10.1x.200.0 0.0.3.255
  Licensing ip to 10.1x.200.0 0.0.3.255 host 10.254.254.56
  Licensing ip to 10.1x.20.0 0.0.3.255 host 10.254.254.5
  permit host ip 4.0.x.11 10.1x.200.0 0.0.3.255
  permit ip 10.1x.200.0 0.0.3.255 host 4.0.x.11
  !

  Thank you

  You really set one of the following routes, and it seems wrong that it should really be directed to the jump to next to the router. It should just route through the default route if you have configured listed routes. PLS, delete them if those are all you have configured and left the default route in the configuration.

  IP route 1.0.10.0 255.255.255.0 210.199x.2xx.xx (public IP address of the router vpn HQ)

  IP route 4.0.x.0 255.255.255.0 210.199x.2xx.xx

  IP route 4.0.15.11 255.255.255.255 210.199x.2xx.xx (cannot reach this hot HQ)

  IP route 10.254.0.0 255.255.255.0 210.199x.2xx.xx

  IP route 10.254.254.56 255.255.255.255 210.199x.2xx.xx

  Also, if it works in a way, it is more likely an access-list or a firewall that blocks traffic in one direction.

• Can not pass traffic from the VPN client to remote VPN site to site

  Hello

  I can't get the traffic flowing between my VPN clients and my remote site-to-site VPN, I did step by step in this link:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

  my firewall says that the package is abandoned by statefull inspection.

  But this should be the command "same-security-traffic..." "this problem must be resolved

  % ASA-6-302020: built ICMP incoming connections for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302020: built outgoing ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

  % ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

  Is it all what you might think that I'm missing?

  Best regards

  Erik

  Erik,

  Please check it out because no decaps means the ASA does not what it is the other side of the tunnel.

  If you send traffic and you will see the crypt increment... but nothing in return... 99% sure that the problem is at the other end.

  Federico.

• Connectivity on the VPN tunnel problem.

  Hello

  I have a site to tunnel between the PIX506 and Cisco VPN 3000 Concentrator. I'll be spending it again ASA5510, so the tunnel will be established between the ASA and PIX. After inistial tests, I found only one box of remote network (time clock lol) is down by connectivity while tunnel between Pix and ASA (works fine with the hub). All traffic is allowed through the VPN tunnel built on SAA is? I understand it should be as long as the tunnel is running, correct? (Note: the remote clock uses ports TCP 8888 and 8889 to communicate with the server)

  Thank you

  If there is no filter, again all traffic should be allowed.

  You need not choose L2TP connection is pure IPsec.

  If you wish, you can post your configurations to check them out (you can remove sensitive information)

  Federico.

• Authentication of ACS in the VPN tunnel

  We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.

  The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?

  config is used and tested with success on local equipment:

  AAA new-model

  RADIUS-server host 10.x.x.x single-connection key xxxxxx

  AAA authentication login Ganymede-local group local Ganymede

  AAA authorization commands x Ganymede-local group Ganymede + if authenticated

  AAA authorization exec Ganymede-local group Ganymede + authenticated if

  See the establishment of privileges exec level x

  line vty 0 4

  Ganymede-local authentication login

  authorization controls Ganymede-local x

  -ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:

  RT881 #ping 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  .....

  Success rate is 0% (0/5)

  -ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:

  RT881 #ping source 10.x.x.1 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  Packet sent with a source address of 10.x.x.1

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms

  Looking forward to your responses and suggestions.

  Thanks, M.

  Hey Maher,

  You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.

  I hope this helps!

  Kind regards

  Assia

• Traffic to the VPN router IOS NAT tunnel

  I need to configure a VPN tunnel that NATs traffic above him.  I have already established VPN tunnels and NAT traffic.  I did this on a concentrator VPN and ASA, but have seen some places where people say is not possible on a router or I saw real hard evidence that it is.  For example, I use a Cisco 2801 router with 12.4(8a) and advanced security.  This can be quite difficult as the subnet / vlan that we need NAT needs to pass normal traffic on other VPN tunnels and using a NAT on the Internet directly.  Y does it have, any restrictions on it as the IOS version, being a router itself, NAT configuration.  Any help is greatly appreciated.

  Hi James,

  NAT VPN traffic, you can like you do with ASAs on IOS routers.

  If you do, it is that you create an ACL to set traffic to be coordinated, apply the ACL to a NAT rule and a condition that NAT statement with a roadmap to occur only when the traffic will be sent through the tunnel.

  Federico.

• Authentication PEAP wireless across the VPN tunnel

  We use routers for Cisco 871 VPN connectivity series. I'm testing the 871W for VPN and wireless connectivity. I am able to get the VPN but have problems with authentication using PEAP and authentication through active directory wireless. The problem is that my router is unable, because of the VPN connection, "talk" directly to my authentication server using the LAN ip address. I can get the authentication works if I pass the traffic through the internet, drill a hole in my firewall to complete the authentication process. This isn't my preferred method. What can I do to work around may lists VPN access that prevent my direct connectivity to my server?

  Are you able to ping to the ip address of the radius through the tunnel server?

  Try adding this:

  radius of the IP source-interface BVI1

  * Please rate if helped.

  -Kanishka

• An ASA inspect traffic through a VPN?

  The ASA did inspect the traffic through a VPN using the default inspect the rules?

  Hi Justin,

  The SAA can inspect traffic encryption before or after decryption. The ASA cannot inspect encrypted traffic.

  This means that if the VPN tunnel ends on the ASA, ASA can inspect traffic sent through the prior encryption tunnel and could inspect the traffic post decryption when received.

  If the tunnel is not over on the SAA but pass instead through the ASA, ASA cannot inspect traffic encapsulated inside.

  It will be useful.

  Federico.

• Interpret what is allowed on the VPN tunnel

  Hello

  I work with Cisco PIX equipment for the first time and I'm trying to understand what is allowed on one of the VPN tunnels which are established on the PIX.

  I interpret this PIX did by reading the running configuration. I was able to understand most of it (with the help of the cisco site), so I'm starting to get comfortable with it. I'm looking for more help in the interpretation of what is allowed by a good VPN tunnel. Here are some details:

  map Cyril 2 ipsec-isakmp crypto

  Cyril 2 crypto card matches the acl-vpntalk address

  access list acl-vpntalk allowed ip object-group my_inside_network 172.17.144.0 255.255.255.0

  So, if I interpret it correctly, then the traffic matching ACL acl-vpntalk will go on the VPN tunnel.

  As far as the lists others access dedicated, my inner interface I have:

  Access-group acl-Interior interface inside

  With ACL-Interior:

  access list acl-Interior ip allow a whole

  So nothing complicated there.

  Now, just because of all this I conclude I encouraged all remote network traffic in my site. If all traffic 172.17.144.0/24 is allowed to join my network.

  However, I don't know if this conclusion is correct.

  This ACL is also applied:

  Access-group acl-outside in external interface

  And it looks like:

  deny access list acl-outside ip a

  I'm not sure if this ACL applies to vehicles coming from the IPSEC peer. It's for sure inbound on the external interface, but if it is valid for the IPSEC traffic I don't know.

  If it is valid, then am I had reason to conclude that only connections initiated from my inside network to the remote control can come back?

  Thanks in advance for your ideas.

  With sincere friendships.

  Kevin

  Hey Kevin,

  Here are my comments, hope you find them useful:

  1. the ACL called "acl-vpntalk" sets traffic who will visit the IPSec tunnel, so you got that right. All traffic from the group called "my_inside_network" will 172.17.144.0/24 will pass through the tunnel, and there should be a similar to the other VPN end opposite ACL.

  2. the 'acl-inside' applied to the inside interface allows any ip traffic coming out of the isnide to any destination.

  3. the 'acl-outside' rejects all traffic from entering your home network, but the IPSec traffic is free and will cross because you will find a "sysopt connection permit-ipsec' configured on your PIX command that tells the operating system to allow all traffic destined for VPN tunnels without explicitly enabling it through the inbound ACL. If you have stopped the "sysopt" should stop your traffic and you will have more control on your tunnel traffic.

  Personally, I usually disable the "sysopt" and control the VPN traffic in my incoming ACL.

  Just a quick note, if you look more deeply into the ACL on the PIX functionality, you will find that no traffic moves inside, if she is not allowed on the external interface. For example, you can allow traffic between "inside" and "dmz" interfaces by adding an entry 'allow' on one of the ACLS applied to one of these interfaces. But when you want to allow traffic from the external interface (security level 0), you will need to allow in the inbound ACL applied on the external interface.

  I could have written something vague, but I hope you get my point.

  Thank you.

  Salem.

• Split of static traffic between the VPN and NAT

  Hi all

  We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8.  It's for everything - including Internet traffic.  However, there is one exception (of course)...

  The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN.  BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

  I have the following Setup (tried to have just the neccessarry lines)...

  interface GigabitEthernet2

  address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

  address IP X.X.X.X 255.255.255.0 secondary

  NAT outside IP

  card crypto ipsec-map-S2S

  interface GigabitEthernet4.2020

  Description 2020

  encapsulation dot1Q 2020

  IP 10.160.8.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP nat inside source list interface NAT-output GigabitEthernet2 overload

  IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

  IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

  NAT-outgoing extended IP access list

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

  permit tcp host 10.160.8.5 all eq www

  permit tcp host 10.160.8.5 any eq 443

  No. - NAT extended IP access list

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

  refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

  allow an ip

  route No. - NAT allowed 10 map

  corresponds to the IP no. - NAT

  With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16).  If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

  How can I get both?  It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT.  It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT.  That's my theory anyway (maybe something is happening?)

  If this work like that or I understand something correctly?  It's on a router Cisco's Cloud Services (CSR 1000v).

  Thank you!

  Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

  NAT-outgoing extended IP access list

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

  ...

  No. - NAT extended IP access list

  deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

  allow an ip

  Doc:

  Router to router IPSec with NAT and Cisco Secure VPN Client overload

  Thank you

  Brendan

• After the VPN Tunnel access problem is in place.

  Could someone please take a look at this config and tell me why, once I have the VPN tunnel to the top, I can't access all hosts on the 192.168.41.0 network? (The x are inserted for privacy). Thank you.

  Try...

  ISAKMP nat-traversal