cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2275
Views
4
Helpful
27
Replies

Branch Office Shared Internet NAT Configuration

JamesLilley1746
Level 1
Level 1
  • Good afternoon everyone, my organization has added a Branch Office.
  • I wish to have all of the internet traffic for the Branch Office flow through the HQ NAT Router. 
  • I have set up a working DMVPN with dynamic routing using eigrp (see the attached image). 
  • Routing is working on all Routers,
    show ip route
    command lists all subnets, I can
    ping
    and traceroute any local address in either LAN. 
  • NAT is working for the Headquarters
    LAN 172.16.5.0
    however NAT is not working for the Branch Office
    LAN 172.16.4.0
     
  • I try to generate
    ping
    traffic from the Branch Office LAN to the internet and nothing displays when
    debug ip nat
    is enabled on the HQ NAT Router, nor does
    show ip nat translations
    show any traffic to the Branch Office LAN
  • I set up this same topology in Cisco Modeling Labs and NAT works fine for the Branch Office LAN, although I admit CML cannot replicate the underlay of a DMVPN in a production environment
  • Please review the NAT configuration in the attached image and advise.
27 Replies 27

Three points 

1- NATing' which you clear it that you already done it

2-

defualt route

from hub to spoke (branch)

3- static route in spoke toward isp2 for

hub IP

  • Good Morning, yesterday I made the following changes:
  • On the Hub (WAN Router) I changed the
    default route
    from
    172.16.5.3 (NAT Router) to 172.16.10.2
      Spoke Tunnel IP (Branch Router)
no ip route 0.0.0.0 0.0.0.0 172.16.5.3
ip route 0.0.0.0 0.0.0.0 172.16.10.2
  • After making the above change the DMVPN tunnel shutdown and NAT no longer functioned on the Hub (WAN Router)
  • On the Spoke (Branch Router) I also removed the
    default route
      towards ISP-2
no ip route 0.0.0.0 0.0.0.0 32.221.21.150
  • I added a static route for the Hub (WAN Router) Tunnel IP to ISP-2
ip route 172.16.10.1 255.255.255.255 32.221.21.150
  • After completing this change the tunnel remained down and NAT did not function on either the Hub (WAN Router) or the Spoke (Branch Router)

  • To clarify, on the Spoke device (I assume you mean Branch Router) I should add at static route for the
    HUB tunnel IP address 172.16.10.1 towards ISP2 32.221.21.150
    correct?
  • If the above is correct then on the Branch Router the command should be as follows:
ip route 172.16.10.1 255.255.255.0 32.221.21.150
  • Please confirm if the above is correct
  • Also I do not understand what "default information in Hub toward Spoke" means?

  • OK, I found the
    default-information
     command.
  • To clarify, on the Hub device (WAN Router) I add the
    default-information
    in command pointing toward the Spoke device (Branch Router) correct?
  • Do I add to the existing
    router eigrp 200
    statement or something else?

Dont worry' I will share lab config with you 

Dmvpn hub and eigrp and nating 

Within 1 hr I will share 

  • I appreciate your efforts.
  • I reviewed the Cisco Modeling Lab I had setup, where NAT does in fact work on the Branch Subnet.
  • The only major difference from the production config is that the Branch Router
    default route
    is the WAN Router inside
    interface 172.16.5.5
    rather than 
    ISP-2   32.221.21.150
  • However if I use
    172.16.5.5 as the default route
    for the Branch Router in the production config the DMVPN tunnel goes down.
  • So maybe the key is to determine what is causing the tunnel to go down, because otherwise the config should work as it does in CML.

IOU5#show run

hostname IOU5
!
interface Ethernet0/0
ip address 200.0.0.5 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet1/1
ip address 10.0.0.5 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router eigrp 5
network 10.0.0.0 0.0.0.255
redistribute static metric 100 100 255 1 1500

!
ip nat inside source list 1 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 200.0.0.6
!
access-list 1 permit 3.3.3.3
access-list 1 permit 2.2.2.2



IOU1#show run
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 120.0.0.3
crypto isakmp key mhm address 0.0.0.0
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
crypto map mhmtunnel 10 ipsec-isakmp
set peer 120.0.0.3
set transform-set mhm
match address 100
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 5
no ip split-horizon eigrp 5
ip nhrp map multicast dynamic
ip nhrp network-id 5
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Tunnel1
ip address 15.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel destination 120.0.0.3
!
interface Ethernet0/0
ip address 100.0.0.1 255.255.255.0
crypto map mhmtunnel
!
interface Ethernet1/1
ip address 10.0.0.1 255.255.255.0
!
router eigrp 5
network 5.0.0.0 0.0.0.255
network 10.0.0.0 0.0.0.255
!
router eigrp 15
network 15.0.0.0 0.0.0.255
!
ip forward-protocol nd
!
ip route 110.0.0.2 255.255.255.255 100.0.0.4
ip route 120.0.0.3 255.255.255.255 100.0.0.4
!
access-list 100 permit gre host 15.0.0.1 host 15.0.0.3
access-list 100 permit gre host 100.0.0.1 host 120.0.0.3





IOU2#show running-config

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 100.0.0.1
crypto isakmp key mhm address 0.0.0.0
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhmspoke
set transform-set mhm
!
!
crypto map mhmtunnel 10 ipsec-isakmp
! Incomplete
set peer 100.0.0.1
set transform-set mhm
match address 100

!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
no ip redirects
ip nhrp map 5.0.0.1 100.0.0.1
ip nhrp map multicast 100.0.0.1
ip nhrp network-id 5
ip nhrp nhs 5.0.0.1
tunnel source Ethernet0/1
tunnel mode gre multipoint
tunnel key 5
tunnel protection ipsec profile mhmspoke
!
interface Ethernet0/1
ip address 110.0.0.2 255.255.255.0
crypto map mhmtunnel
!
router eigrp 5
network 2.2.2.2 0.0.0.0
network 5.0.0.0 0.0.0.255

!
ip route 100.0.0.1 255.255.255.255 110.0.0.4

this lab I success 
same approach I share before 
LO in IOU2 Spoke can access IOU6 using NATIng in IOU5 

the issue I face 
I config

default route

in IOU5 and

redistribute static

into EIGRP 5 
but the IOU1 (Hub) not advertise this

default route

via EIGRP 
because I was already config

default route

toward IOU4 (ISP)
so solution here is 
remove

default route

in Hub IOU1 and use static route for each spoke 

NOW Spoke get

defualt route

via

EIGRP tunnel

from Hub.
and traffic forward to Hub then to Hub NATing.

  • OK, Thank you, I will need to take some time to study this and apply to my config. I will let you know how I make out.

Take your time friend 

Have a nice summer 

MHM

  • Good Morning, I have reviewed your Lab config and applied the relevant changes to my network (see attached image)
  • I am happy to report that NAT is now working in the Branch Office LAN while all internet traffic flows through the Headquarters NAT Router as intended.
  • Thank you for your time and efforts.

You are so so welcome 

MHM

Review Cisco Networking for a $25 gift card