06-01-2011 08:22 AM - edited 03-04-2019 12:35 PM
I have a 2921 router configured with dual wan and vpn. I have static routes configured to send traffic designated for the remote vpn sites over the 2nd wan interface, but I am unable to connect to the external address of the remote sites from a computer within the 2921's local network. I have a feeling it is related to my NAT configuration. I only have dynamic outbound NAT on the first wan interface, but applying it to the second, as well, discrupts all wan traffic.
If someone could give me a hand in getting this configured properly that would be great. If you need configurations, I will be glad to post them, just ask.
Thanks.
Solved! Go to Solution.
06-02-2011 09:18 AM
Hi,
Well, I think I might understand what you are trying to do. Please try this for testing.
#Assuming that when the tunnel is down , gig0/2 is working fine and the list of public ip addresses below are reachable.
#Assuming that the following IP addresses are what you want to connect when the tunnel is down.
50.xxx.xxx.226 255.255.255.255
71.xxx.xxx.6 255.255.255.255
76.xxx.xxx.243 255.255.255.255
76.xxx.xxx.210 255.255.255.255
#####Configuration#####
ip access-list extend FOR-MGNT-OUT-G0/2
permit ip 10.0.0.0 0.0.0.255 host 50.xxx.xxx.226
permit ip 10.0.0.0 0.0.0.255 host 71.xxx.xxx.6
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.243
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.210
!
route-map SDM_RMAP_3 permit 1
match ip address 110
match interface GigabitEthernet0/1
!
route-map OUT_GIG_0_2 permit 1
match ip address FOR-MGNT-OUT-G0/2
match interface GigabitEthernet0/2
!
ip nat inside source route-map OUT_GIG_0_2 interface GigabitEthernet0/2 overload
!
interface g0/2
ip nat outside
!
HTH,
Toshi
06-01-2011 09:27 AM
Hi,
Please post the configuration,excluding sensitive information.
Toshi
06-01-2011 09:38 AM
06-01-2011 09:50 AM
Hi,
Please explain a bit more about your question. "but I am unable to connect to the external address of the remote sites from a computer within the 2921's local network." What does it mean?
Do you want to apply "crypto map 4400" on Gig0/1?
Toshi
06-01-2011 10:48 AM
The 2921 is at our main location. It has dynamic nat configured to use gi0/1 for internet access. I then have the static routes to access the four other offices through the second wan interface. If I try to ping or ssh the external ip of another location from a computer within the main location's network, it fails. The router can't nat my computer on the second wan connection because nat is configured for that interface, therefore it can not exchange information between my computer and the external ip of the remote location.
Hope that's a little clearer.
06-01-2011 11:03 AM
Hi,
Seems you do not need to use NAT on Gig0/2 interface. Seems you are using DMVPN for branch sites. You just want to send traffic through the tunnel on Gig0/2. What do you want NAT to do for this interface? Please clarify.
Just try this for testing.
mkp(conf)#Interface GigabitEthernet0/2
mkp(conf-if)#no ip nat outside
We have to make sure that the tunnel is up when testing connections to branch sites.
HTH,
Toshi
06-01-2011 12:44 PM
My issue is that if the vpn tunnel goes 'down', I am unable to access the branch routers for diagnostics. One site also has a modem in front of the vpn router with a web interface that I am unable to access as well.
06-02-2011 07:34 AM
Hi,
Sorry for my late reply. You mean you cannot connect to the router or modem when the tunnel is down. When the tunnel is down, you want to use gig0/1(internet) to remote to the router/modem. Right? When the tunnel is down, Is gig0/2 down as well? What is the public ip address of modem you want to connect? Please clarify the routes below.
ip route 50.xxx.xxx.226 255.255.255.255 GigabitEthernet0/2
ip route 71.xxx.xxx.6 255.255.255.255 GigabitEthernet0/2
ip route 76.xxx.xxx.243 255.255.255.255 GigabitEthernet0/2
ip route 76.xxx.xxx.210 255.255.255.255 GigabitEthernet0/2
I
HTH,
Toshi
06-02-2011 08:54 AM
You are correct, I can not connect to the router or modem when tunnel is down. When the tunnel is down, the traffic can go through either interface, as long as it works. Gig0/2 usually does not go down, it is often the remote sites that have issues. The included "ip route" commands are the four remote branch offices with cisco dmvpn routers. I would need to connect to any of them if the tunnels were down.
Thanks.
06-02-2011 09:18 AM
Hi,
Well, I think I might understand what you are trying to do. Please try this for testing.
#Assuming that when the tunnel is down , gig0/2 is working fine and the list of public ip addresses below are reachable.
#Assuming that the following IP addresses are what you want to connect when the tunnel is down.
50.xxx.xxx.226 255.255.255.255
71.xxx.xxx.6 255.255.255.255
76.xxx.xxx.243 255.255.255.255
76.xxx.xxx.210 255.255.255.255
#####Configuration#####
ip access-list extend FOR-MGNT-OUT-G0/2
permit ip 10.0.0.0 0.0.0.255 host 50.xxx.xxx.226
permit ip 10.0.0.0 0.0.0.255 host 71.xxx.xxx.6
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.243
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.210
!
route-map SDM_RMAP_3 permit 1
match ip address 110
match interface GigabitEthernet0/1
!
route-map OUT_GIG_0_2 permit 1
match ip address FOR-MGNT-OUT-G0/2
match interface GigabitEthernet0/2
!
ip nat inside source route-map OUT_GIG_0_2 interface GigabitEthernet0/2 overload
!
interface g0/2
ip nat outside
!
HTH,
Toshi
06-02-2011 09:18 AM
Hi,
Well, I think I might understand what you are trying to do. Please try this for testing.
#Assuming that when the tunnel is down , gig0/2 is working fine and the list of public ip addresses below are reachable.
#Assuming that the following IP addresses are what you want to connect when the tunnel is down.
50.xxx.xxx.226 255.255.255.255
71.xxx.xxx.6 255.255.255.255
76.xxx.xxx.243 255.255.255.255
76.xxx.xxx.210 255.255.255.255
#####Configuration#####
ip access-list extend FOR-MGNT-OUT-G0/2
permit ip 10.0.0.0 0.0.0.255 host 50.xxx.xxx.226
permit ip 10.0.0.0 0.0.0.255 host 71.xxx.xxx.6
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.243
permit ip 10.0.0.0 0.0.0.255 host 76.xxx.xxx.210
!
route-map SDM_RMAP_3 permit 1
match ip address 110
match interface GigabitEthernet0/1
!
route-map OUT_GIG_0_2 permit 1
match ip address FOR-MGNT-OUT-G0/2
match interface GigabitEthernet0/2
!
ip nat inside source route-map OUT_GIG_0_2 interface GigabitEthernet0/2 overload
!
interface g0/2
ip nat outside
!
HTH,
Toshi
06-29-2011 09:49 AM
Sorry for taking so long, I had some other things to take care of first.
I applied the above configuration and it appears to be working as expected. I can remotely manage the branches using their external IPs. The tunnel has not gone down yet, so I haven't been able to truely test it, but thank you very much.
06-29-2011 11:38 AM
Hi
Thanks for letting us know.
Toshi
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide