Question : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

This is a conceptual/architectural question at the moment. I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.

I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E

nameif ethernet0 outside security0
nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1
nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1
nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1
nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1

The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router
The 837 has NAT established
Uses Route Map SDM_RMAP_1 that in turn uses access-list 101
access-list 101
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255
permit ip 10.13.0.0 0.0.255.255 any

There is NO firewall configured on the 837

The VPN tunnel uses IPSec rule 100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255

I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24
I can ping 10.7.30.1 from the local client

From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)

So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.

I thought (& have tried) that
a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd
b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic

I think I've missed a step because
i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit
ii. ping still fails

Answer : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:

Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.

deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 any

Random Solutions

Problem: Replacing sound to a motherboard

Problem: Laptop Connects to network, but cannot access the internet?

Problem: 3TB Raid 5 Array Volume disappeared after power outtage, need recovery advice

Problem: My cpu in laptop failed. AMD 462 Athlon Xp. need help.

Problem: Reinstalling OS on Sata drive

Problem: Dual Xeon vs Core 2 Dual Core

Problem: How do I migrate files from a windows 3.1 PC to an XP machine maintaining File Date Integrity

Problem: Memory Speed - Performance difference

Problem: Intel Pentium IV Standard Heatsink with Gaming Bomb.

Problem: Windows Explorer.exe error message when opening printer properties