Question : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

This is a conceptual/architectural question at the moment.  I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.

I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E

nameif ethernet0 outside security0
nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1
nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1
nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1
nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1

The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router
The 837 has NAT established
Uses Route Map SDM_RMAP_1 that in turn uses access-list 101
access-list 101
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255
permit ip 10.13.0.0 0.0.255.255 any

There is NO firewall configured on the 837

The VPN tunnel uses IPSec rule  100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255

I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24
I can ping 10.7.30.1 from the local client

From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)

So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.

I thought (& have tried) that
a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd
b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic

I think I've missed a step because
i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit
ii. ping still fails

Answer : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:

Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.

deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 any
Random Solutions  
 
programming4us programming4us