Solved: Re: Branch Office Shared Internet NAT Configuration

JamesLilley1746 · ‎07-16-2023

Good afternoon everyone, my organization has added a Branch Office.
I wish to have all of the internet traffic for the Branch Office flow through the HQ NAT Router.
I have set up a working DMVPN with dynamic routing using eigrp (see the attached image).
Routing is working on all Routers,
```
show ip route
```
command lists all subnets, I can
```
ping
```
and traceroute any local address in either LAN.
NAT is working for the Headquarters
```
LAN 172.16.5.0
```
however NAT is not working for the Branch Office
```
LAN 172.16.4.0
```
I try to generate
```
ping
```
traffic from the Branch Office LAN to the internet and nothing displays when
```
debug ip nat
```
is enabled on the HQ NAT Router, nor does
```
show ip nat translations
```
show any traffic to the Branch Office LAN
I set up this same topology in Cisco Modeling Labs and NAT works fine for the Branch Office LAN, although I admit CML cannot replicate the underlay of a DMVPN in a production environment
Please review the NAT configuration in the attached image and advise.

MHM Cisco World · ‎07-18-2023

IOU5#show run

hostname IOU5
!
interface Ethernet0/0
ip address 200.0.0.5 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet1/1
ip address 10.0.0.5 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router eigrp 5
network 10.0.0.0 0.0.0.255
redistribute static metric 100 100 255 1 1500

!
ip nat inside source list 1 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 200.0.0.6
!
access-list 1 permit 3.3.3.3
access-list 1 permit 2.2.2.2



IOU1#show run
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 120.0.0.3
crypto isakmp key mhm address 0.0.0.0
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
crypto map mhmtunnel 10 ipsec-isakmp
set peer 120.0.0.3
set transform-set mhm
match address 100
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 5
no ip split-horizon eigrp 5
ip nhrp map multicast dynamic
ip nhrp network-id 5
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Tunnel1
ip address 15.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 120.0.0.3
!
interface Ethernet0/0
ip address 100.0.0.1 255.255.255.0
crypto map mhmtunnel
!
interface Ethernet1/1
ip address 10.0.0.1 255.255.255.0
!
router eigrp 5
network 5.0.0.0 0.0.0.255
network 10.0.0.0 0.0.0.255
!
router eigrp 15
network 15.0.0.0 0.0.0.255
!
ip forward-protocol nd
!
ip route 110.0.0.2 255.255.255.255 100.0.0.4
ip route 120.0.0.3 255.255.255.255 100.0.0.4
!
access-list 100 permit gre host 15.0.0.1 host 15.0.0.3
access-list 100 permit gre host 100.0.0.1 host 120.0.0.3





IOU2#show running-config

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 100.0.0.1
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
!
crypto map mhmtunnel 10 ipsec-isakmp
! Incomplete
set peer 100.0.0.1
set transform-set mhm
match address 100

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
no ip redirects
ip nhrp map 5.0.0.1 100.0.0.1
ip nhrp map multicast 100.0.0.1
ip nhrp network-id 5
ip nhrp nhs 5.0.0.1
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Ethernet0/1
ip address 110.0.0.2 255.255.255.0
crypto map mhmtunnel
!
router eigrp 5
network 2.2.2.2 0.0.0.0
network 5.0.0.0 0.0.0.255

!
ip route 100.0.0.1 255.255.255.255 110.0.0.4

View solution in original post

JamesLilley1746 · ‎07-20-2023

Good Morning, I have reviewed your Lab config and applied the relevant changes to my network (see attached image)
I am happy to report that NAT is now working in the Branch Office LAN while all internet traffic flows through the Headquarters NAT Router as intended.
Thank you for your time and efforts.

View solution in original post

Flavio Miranda · ‎07-16-2023

Hi @JamesLilley1746

"

I try to generate
```
ping
```
traffic from the Branch Office LAN to the internet and nothing displays when
```
debug ip nat
```
is enabled on the HQ NAT Router, nor does
```
show ip nat translations
```
show any traffic to the Branch Office LAN"

Did you try to remote the

default route

on Branch side? I believe the traffic is leaving through ISP2

JamesLilley1746 · ‎07-16-2023

Thank you for the quick response.
If I
```
ping 8.8.8.8
```
from a PC in the Branch Office the
```
ping
```
fails.
However if I
```
ping 8.8.8.8
```
from the Branch Office Router the
```
ping
```
succeeds and a traceroute shows it that does leave through the ISP2.
I do not know what you mean by remote the
```
default route
```
Did your mean remove the
```
default route
```

Flavio Miranda · ‎07-16-2023

Hi @JamesLilley1746 Yes I meant remove! haha...it was a typo, sorry.

If you run a tracert from the PC, it probably are going to ISP2, right? I believe the

default route

is taking preference over the EIGRP

The reason the

ping

fail from PC but not the router is probably because you have no NAT on the Branch Router towards ISP 2. When you

ping

from the router itselt the ISP2 knows how to reply but when you

ping

from the PC, the ISP2 does not know the

network 172.16.4.0

and that´s why the response from 8.8.8.8 does not come.

JamesLilley1746 · ‎07-16-2023

OK thanks for the clarification.
So if I remove the
```
default route
```
on the Branch Office router:
```
no ip route 0.0.0.0 0.0.0.0 32.221.21.150
```
will the router still function? I thought there had to be a
```
default route
```
for routing to function.

How about changing it to:

ip route 0.0.0.0 0.0.0.0 GigabithEthernet 0/0/1

Flavio Miranda · ‎07-16-2023

So if I remove the
```
default route
```
on the Branch Office router:
```
no ip route 0.0.0.0 0.0.0.0 32.221.21.150
```
will the router still function? I thought there had to be a
```
default route
```
for routing to function.

If you want to sent the internet traffic towards ISP1 which I believe it on HQ, you can not have a

default route

pointing to ISP2. Yes, the router will function. If you need to send any traffic to ISP2, you can add specific route to ISP2 or you can stablish a routing protocol between Router branch and ISP2.

How about changing it to:

ip route 0.0.0.0 0.0.0.0 GigabithEthernet 0/0/1

Dont configure

default route

like that. Use IP address instead.

JamesLilley1746 · ‎07-16-2023

That did not work.
As soon as I removed the
```
default route
```
I lost connection with the Branch Office Router.
I will have to wait until tomorrow to re establish connection.

Flavio Miranda · ‎07-16-2023

Then you access was through the ISP2?

But do you have access to HQ? If you access the router on HQ and try to access the router on Branch it should work, they have direct connection, dont they?

JamesLilley1746 · ‎07-16-2023

I was connected to the Branch Office Router through the DMVPN Tunnel connected to the WAN Router.
I currently have access to the HQ WAN Router and HQ NAT Router
As soon as I removed the
```
default route
```
on the Branch Router the connection went down and I have not been able to reconnect.
I cannot
```
ping or ssh
```
into the Branch Router. I will have to go onsite tomorrow and connect directly.

Flavio Miranda · ‎07-16-2023

Sorry to hear that. If I knew you could lost access I would suggest to you add the commamd "

reload in x(time)

and not save the config.

This way whe you lost access you just need to wait X time.

Another option is config archive and setup rollback

What you can do tomorrow is return the

default route

and create a static route to 8.8.8..8 sending to HQ just for test purpose. As soon as you figure out how it works, you remove the

default route

and add it pointing to HQ.

But the conclusion to me is, with default routing sending to ISP2, the internet traffic will not go to HQ.

MHM Cisco World · ‎07-16-2023

this need some work, I will share with you the way to config but before that why you use

default route

in branch ?

JamesLilley1746 · ‎07-16-2023

Thank you for the response
To answer your question about the
```
default route
```
I thought a router had to have a
```
default route
```
in order to function.
So if I remove the the
```
default route
```
on the Branch Router:
```
no ip route 0.0.0.0 0.0.0.0 32.221.21.150
```
and do not replace it with anything else the router will still function?

MHM Cisco World · ‎07-16-2023

two steps here

first default information in Hub toward Spoke

in Spoke you need static route for

Hub IP (tunnel)

toward ISP2
that it

MHM Cisco World · ‎07-16-2023

One more note, you need to add Spoke Lan subnet in acl of NAT overload of hub.

Thanks

MHM

JamesLilley1746 · ‎07-17-2023

OK to clarify, you want me to add the Spoke (I assume you mean Branch Router)
```
LAN subnet 172.16.4.0
```
to the ACL named NAT on the HUB (I assume you mean WAN Router)?
There is no ACL or NAT overload statement on the HUB, only on the HQ NAT Router, did you mean the HQ NAT Router?
If so that already exists. See below

ip access-list extended NAT

   permit ip 172.16.4.0 0.0.255 any

   permit ip 172.16.5.0 0.0.0.255 any