Question : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

This is a conceptual/architectural question at the moment. I'm not sure 'how' I'm supposed to make this work before I get to the detail of 'what' I need to do.

I have a central Cisco 3030 VPN Concentrator with the internal interface attached to 10.7.30.0/24 this (LAN) is attached to one of 5 interfaces on a Cisco PIX 515E

nameif ethernet0 outside security0
nameif ethernet1 inside security100 10.7.4.0/24 - 10.7.4.1
nameif ethernet2 dmz security50 10.7.20.0/24 - 10.7.20.1
nameif ethernet3 vpn security85 10.7.30.0/24 - 10.7.30.1
nameif vlan201 ilo security90 10.7.1.0/24 - 10.7.1.1

The local client is 10.13.10.2 on the 10.13..0.0/16 network connected to a Cisco 837 ADSL router
The 837 has NAT established
Uses Route Map SDM_RMAP_1 that in turn uses access-list 101
access-list 101
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0255
permit ip 10.13.0.0 0.0.255.255 any

There is NO firewall configured on the 837

The VPN tunnel uses IPSec rule 100
access-list 100
permit ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255

I have established a VPN tunnel between 10.13.0.0/16 and 10.7.30.0/24
I can ping 10.7.30.1 from the local client

From the VPN concentrator, I can ping a host on the 10.7.20.0/24 network (10.7.20.27), but I cannot ping 10.7.20.27 from the local client (10.13.10.2)

So my question in general terms is how do I get the 837 to route traffic to 10.7.20.0/24 through the VPN.

I thought (& have tried) that
a) I'd need to modify the NAT access-list (101) to deny traffic to 10.7.20.0/24 to stop it being NAT'd
b) I'd need to modify the IPSec rule to permit 10.7.20.0 traffic

I think I've missed a step because
i. a tracert on 10.7.20.27 shows it being routed out along the ADSL (external) circuit
ii. ping still fails

Answer : Problem: Cisco 837 ADSL Router: Adding Routes to a LAN-to-LAN VPN tunnel

Yes, you need to deny traffic destined to 10.7.20.0 in your NAT route map so it is not NAT'd:

Add this to access-list 101 being referenced in your route map SDM_RMAP_1 on the 837.

deny ip 10.13.0.0 0.0.255.255 10.7.20.0 0.0.0.255
deny ip 10.13.0.0 0.0.255.255 10.7.30.0 0.0.0.255
permit ip 10.13.0.0 0.0.255.255 any

Random Solutions

Problem: AP log information

Problem: 5.1 surround sound in windows vista

Problem: Oracle connector for blackberry 8830

Problem: Extend array within windows 2000

Problem: unistall programs in windows mobile

Problem: HP 2133: Media playback is "choppy".

Problem: Color Depth

Problem: My iPod will not turn on.

Problem: My D-Link DSl -2640 T Router has 4 ports.How many systems cvan i connect.Can i use a Switch to extend it.

Problem: Windows 2008 terminal server don´t print from workstation