Solved: Re: Branch Office Shared Internet NAT Configuration - Page 2

JamesLilley1746 · ‎07-16-2023

Good afternoon everyone, my organization has added a Branch Office.
I wish to have all of the internet traffic for the Branch Office flow through the HQ NAT Router.
I have set up a working DMVPN with dynamic routing using eigrp (see the attached image).
Routing is working on all Routers,
```
show ip route
```
command lists all subnets, I can
```
ping
```
and traceroute any local address in either LAN.
NAT is working for the Headquarters
```
LAN 172.16.5.0
```
however NAT is not working for the Branch Office
```
LAN 172.16.4.0
```
I try to generate
```
ping
```
traffic from the Branch Office LAN to the internet and nothing displays when
```
debug ip nat
```
is enabled on the HQ NAT Router, nor does
```
show ip nat translations
```
show any traffic to the Branch Office LAN
I set up this same topology in Cisco Modeling Labs and NAT works fine for the Branch Office LAN, although I admit CML cannot replicate the underlay of a DMVPN in a production environment
Please review the NAT configuration in the attached image and advise.

MHM Cisco World · ‎07-17-2023

Three points

1- NATing' which you clear it that you already done it

2-

defualt route

from hub to spoke (branch)

3- static route in spoke toward isp2 for

hub IP

JamesLilley1746 · ‎07-18-2023

Good Morning, yesterday I made the following changes:
On the Hub (WAN Router) I changed the
```
default route
```
from
```
172.16.5.3 (NAT Router) to 172.16.10.2
```
Spoke Tunnel IP (Branch Router)

no ip route 0.0.0.0 0.0.0.0 172.16.5.3
ip route 0.0.0.0 0.0.0.0 172.16.10.2

After making the above change the DMVPN tunnel shutdown and NAT no longer functioned on the Hub (WAN Router)
On the Spoke (Branch Router) I also removed the
```
default route
```
towards ISP-2

no ip route 0.0.0.0 0.0.0.0 32.221.21.150

I added a static route for the Hub (WAN Router) Tunnel IP to ISP-2

ip route 172.16.10.1 255.255.255.255 32.221.21.150

After completing this change the tunnel remained down and NAT did not function on either the Hub (WAN Router) or the Spoke (Branch Router)

JamesLilley1746 · ‎07-17-2023

To clarify, on the Spoke device (I assume you mean Branch Router) I should add at static route for the
```
HUB tunnel IP address 172.16.10.1 towards ISP2 32.221.21.150
```
correct?
If the above is correct then on the Branch Router the command should be as follows:

ip route 172.16.10.1 255.255.255.0 32.221.21.150

Please confirm if the above is correct
Also I do not understand what "default information in Hub toward Spoke" means?

JamesLilley1746 · ‎07-17-2023

OK, I found the
```
default-information
```
command.
To clarify, on the Hub device (WAN Router) I add the
```
default-information
```
in command pointing toward the Spoke device (Branch Router) correct?
Do I add to the existing
```
router eigrp 200
```
statement or something else?

MHM Cisco World · ‎07-18-2023

Dont worry' I will share lab config with you

Dmvpn hub and eigrp and nating

Within 1 hr I will share

JamesLilley1746 · ‎07-18-2023

I appreciate your efforts.
I reviewed the Cisco Modeling Lab I had setup, where NAT does in fact work on the Branch Subnet.
The only major difference from the production config is that the Branch Router
```
default route
```
is the WAN Router inside
```
interface 172.16.5.5
```
rather than
```
ISP-2   32.221.21.150
```
However if I use
```
172.16.5.5 as the default route
```
for the Branch Router in the production config the DMVPN tunnel goes down.
So maybe the key is to determine what is causing the tunnel to go down, because otherwise the config should work as it does in CML.

MHM Cisco World · ‎07-18-2023

IOU5#show run

hostname IOU5
!
interface Ethernet0/0
ip address 200.0.0.5 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet1/1
ip address 10.0.0.5 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router eigrp 5
network 10.0.0.0 0.0.0.255
redistribute static metric 100 100 255 1 1500

!
ip nat inside source list 1 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 200.0.0.6
!
access-list 1 permit 3.3.3.3
access-list 1 permit 2.2.2.2



IOU1#show run
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 120.0.0.3
crypto isakmp key mhm address 0.0.0.0
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
crypto map mhmtunnel 10 ipsec-isakmp
set peer 120.0.0.3
set transform-set mhm
match address 100
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 5
no ip split-horizon eigrp 5
ip nhrp map multicast dynamic
ip nhrp network-id 5
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Tunnel1
ip address 15.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 120.0.0.3
!
interface Ethernet0/0
ip address 100.0.0.1 255.255.255.0
crypto map mhmtunnel
!
interface Ethernet1/1
ip address 10.0.0.1 255.255.255.0
!
router eigrp 5
network 5.0.0.0 0.0.0.255
network 10.0.0.0 0.0.0.255
!
router eigrp 15
network 15.0.0.0 0.0.0.255
!
ip forward-protocol nd
!
ip route 110.0.0.2 255.255.255.255 100.0.0.4
ip route 120.0.0.3 255.255.255.255 100.0.0.4
!
access-list 100 permit gre host 15.0.0.1 host 15.0.0.3
access-list 100 permit gre host 100.0.0.1 host 120.0.0.3





IOU2#show running-config

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 100.0.0.1
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
!
crypto map mhmtunnel 10 ipsec-isakmp
! Incomplete
set peer 100.0.0.1
set transform-set mhm
match address 100

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
no ip redirects
ip nhrp map 5.0.0.1 100.0.0.1
ip nhrp map multicast 100.0.0.1
ip nhrp network-id 5
ip nhrp nhs 5.0.0.1
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Ethernet0/1
ip address 110.0.0.2 255.255.255.0
crypto map mhmtunnel
!
router eigrp 5
network 2.2.2.2 0.0.0.0
network 5.0.0.0 0.0.0.255

!
ip route 100.0.0.1 255.255.255.255 110.0.0.4

MHM Cisco World · ‎07-18-2023

Screenshot (961).png

MHM Cisco World · ‎07-18-2023

this lab I success
same approach I share before
LO in IOU2 Spoke can access IOU6 using NATIng in IOU5

the issue I face
I config

default route

in IOU5 and

redistribute static

into EIGRP 5
but the IOU1 (Hub) not advertise this

default route

via EIGRP
because I was already config

default route

toward IOU4 (ISP)
so solution here is
remove

default route

in Hub IOU1 and use static route for each spoke

NOW Spoke get

defualt route

via

EIGRP tunnel

from Hub.
and traffic forward to Hub then to Hub NATing.

JamesLilley1746 · ‎07-18-2023

OK, Thank you, I will need to take some time to study this and apply to my config. I will let you know how I make out.

MHM Cisco World · ‎07-18-2023

Take your time friend

Have a nice summer

MHM

JamesLilley1746 · ‎07-20-2023

Good Morning, I have reviewed your Lab config and applied the relevant changes to my network (see attached image)
I am happy to report that NAT is now working in the Branch Office LAN while all internet traffic flows through the Headquarters NAT Router as intended.
Thank you for your time and efforts.

MHM Cisco World · ‎07-20-2023

You are so so welcome

MHM