DMVPN spoke through a firewall

bsciarra1 · ‎03-19-2013

Good morning, we have a dmvpn hub and spoke configuration. Our spokes are dsl lines, they act as a failover for when our MPLS circuits go down.

Everything works.

Recently we have begun using these dsl lines for internet access at the branches, rather than just dmvpn spokes.

To do this we put a firewall in front of the dsl line. (not a cisco, a watchguard). Internet at the branch works fine but now I can't see my hub's tunnel address.

Working with the firewall vendor, I've enable ipsec passthrough. I cannot see my hub tunnel address and i am sure it has something to do with the new setup since it was working when our dmvpn tunnel source was the fa0/1 interface on the branch router. Now its the outside interface of my firewall, (where the dsl is physically connected in the new configuration).

Does anyone have any experience making something like this work and know what I should do?

paolo bevilacqua · ‎03-19-2013

Firewall is not a good idea. Let the router face the internet direcly, and everything will work surely and safely.

bsciarra1 · ‎03-20-2013

Paolo thank you for the reply.

When i don't use the firewall and try to send the internet traffic out the same interface as the dmvpn, the internet doesn't work (but dmvpn does work).

To do this i am adding a default route "ip route 0.0.0.0 0.0.0.0 71.252.114.1" (which is the next-hop gateway address behind my fa0/1 interface which is connected to dsl).

Is there some configuration i need to add to have it do both dmvpn and general internet both at the same time through the same interface?

Here is my configuration:

interface FastEthernet0/1

ip address 71.252.114.99 255.255.255.0

ip access-group 109 in

ip inspect in2out out

duplex auto

speed auto

interface Tunnel1

description Tunnel to Corp

bandwidth 1000

ip address 172.21.21.21 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication dmvpn

ip nhrp map multicast 63.238.164.99

ip nhrp map 172.21.21.1 63.238.164.99

ip nhrp network-id 10

ip nhrp holdtime 300

ip nhrp nhs 172.21.21.1

no ip split-horizon eigrp 100

no ip mroute-cache

delay 1000

tunnel source 71.252.114.99

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DR-backup

router eigrp 100

redistribute bgp 65001 metric 1500 10 255 1 1500 route-map MATCH_LAN_INTERFACE

network 172.21.21.0 0.0.0.255

no auto-summary

I included the eigrp configuration because the dmvpn tunnel uses that for routing.

Can you please tell me what needs to be added or removed to make this interface work for both general internet access and dmvpn tunnel both at the same time??

paolo bevilacqua · ‎03-21-2013

You will need to configure NAT.

nwekechampion · ‎08-06-2019

Hi Paolo,

Can you please explain why this is a bad idea?

XIE YAO · ‎03-20-2013

Hello,

I've done simliar case when DMVPN router is behind firewall and it works fine.

Something to note:

1. UPD 500, and ESP must be allowed from outside in your FW

2. when you do NAT on FW, please ensure the DMVPN router ip (tunnel source) will be static PAT(port 500) to FW WAN IP and allow UDP4500(NAT-T).

Regards

XIE

mustyman1 · ‎02-27-2018

@XIE YAO wrote:

Hello,

I've done simliar case when DMVPN router is behind firewall and it works fine.

Something to note:

1. UPD 500, and ESP must be allowed from outside in your FW

2. when you do NAT on FW, please ensure the DMVPN router ip (tunnel source) will be static PAT(port 500) to FW WAN IP and allow UDP4500(NAT-T).

Regards

XIE

Thanks. Quite helpful.

My mistake was that I did the Static NAT / Portfowarding to the "source interface IP Address" of the DMVPN devices. The moment I added the "Tunnels' IP Addresses" for all devices, everything worked perfect.

I actually created a Network Object-Group and added both the physical (source interface IP address object) and the logical (tunnel interface IP addres object).

That's it.

bsciarra1 · ‎03-25-2013

Paolo, when I configure NAT it doesn’t work. It seems like the inside addresses aren’t translating to the outside address. This is what I do:

interface FastEthernet0/0

description Data LAN

ip address 192.168.23.1 255.255.255.0

ip helper-address 172.16.0.54

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet1/0

description Voice LAN

no switchport

ip address 10.0.23.1 255.255.255.0

ip helper-address 172.16.0.54

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

interface FastEthernet0/1

description Verizon DSL

ip address 71.252.113.99 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

access-list 7 permit 192.168.23.0

access-list 7 permit 10.0.23.0 0.0.0.255

ip nat inside source list 7 interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 71.252.113.1

All traceroutes from the client pc’s from the inside interface fail. All traceroutes from the router itself are successful.

When I do a “sho ip nat translations” it is blank.

Is there anything that looks wrong with this?

Xie Yao,

Thank you for the information for getting through the firewall. I will take this to my FW vendor and try to make this work. If successful I will abandon NAT'ing via the cisco.