03-19-2013 08:19 AM - edited 03-04-2019 07:20 PM
Good morning, we have a dmvpn hub and spoke configuration. Our spokes are dsl lines, they act as a failover for when our MPLS circuits go down.
Everything works.
Recently we have begun using these dsl lines for internet access at the branches, rather than just dmvpn spokes.
To do this we put a firewall in front of the dsl line. (not a cisco, a watchguard). Internet at the branch works fine but now I can't see my hub's tunnel address.
Working with the firewall vendor, I've enable ipsec passthrough. I cannot see my hub tunnel address and i am sure it has something to do with the new setup since it was working when our dmvpn tunnel source was the fa0/1 interface on the branch router. Now its the outside interface of my firewall, (where the dsl is physically connected in the new configuration).
Does anyone have any experience making something like this work and know what I should do?
03-19-2013 10:28 AM
Firewall is not a good idea. Let the router face the internet direcly, and everything will work surely and safely.
03-20-2013 10:06 AM
Paolo thank you for the reply.
When i don't use the firewall and try to send the internet traffic out the same interface as the dmvpn, the internet doesn't work (but dmvpn does work).
To do this i am adding a default route "ip route 0.0.0.0 0.0.0.0 71.252.114.1" (which is the next-hop gateway address behind my fa0/1 interface which is connected to dsl).
Is there some configuration i need to add to have it do both dmvpn and general internet both at the same time through the same interface?
Here is my configuration:
interface FastEthernet0/1
ip address 71.252.114.99 255.255.255.0
ip access-group 109 in
ip inspect in2out out
duplex auto
speed auto
interface Tunnel1
description Tunnel to Corp
bandwidth 1000
ip address 172.21.21.21 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication dmvpn
ip nhrp map multicast 63.238.164.99
ip nhrp map 172.21.21.1 63.238.164.99
ip nhrp network-id 10
ip nhrp holdtime 300
ip nhrp nhs 172.21.21.1
no ip split-horizon eigrp 100
no ip mroute-cache
delay 1000
tunnel source 71.252.114.99
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DR-backup
router eigrp 100
redistribute bgp 65001 metric 1500 10 255 1 1500 route-map MATCH_LAN_INTERFACE
network 172.21.21.0 0.0.0.255
no auto-summary
I included the eigrp configuration because the dmvpn tunnel uses that for routing.
Can you please tell me what needs to be added or removed to make this interface work for both general internet access and dmvpn tunnel both at the same time??
03-21-2013 02:28 AM
You will need to configure NAT.
08-06-2019 01:10 PM
03-20-2013 09:14 PM
Hello,
I've done simliar case when DMVPN router is behind firewall and it works fine.
Something to note:
1. UPD 500, and ESP must be allowed from outside in your FW
2. when you do NAT on FW, please ensure the DMVPN router ip (tunnel source) will be static PAT(port 500) to FW WAN IP and allow UDP4500(NAT-T).
Regards
XIE
02-27-2018 05:13 AM
@XIE YAO wrote:
Hello,
I've done simliar case when DMVPN router is behind firewall and it works fine.
Something to note:
1. UPD 500, and ESP must be allowed from outside in your FW
2. when you do NAT on FW, please ensure the DMVPN router ip (tunnel source) will be static PAT(port 500) to FW WAN IP and allow UDP4500(NAT-T).
Regards
XIE
Thanks. Quite helpful.
My mistake was that I did the Static NAT / Portfowarding to the "source interface IP Address" of the DMVPN devices. The moment I added the "Tunnels' IP Addresses" for all devices, everything worked perfect.
I actually created a Network Object-Group and added both the physical (source interface IP address object) and the logical (tunnel interface IP addres object).
That's it.
03-25-2013 11:28 AM
Paolo, when I configure NAT it doesn’t work. It seems like the inside addresses aren’t translating to the outside address. This is what I do:
interface FastEthernet0/0
description Data LAN
ip address 192.168.23.1 255.255.255.0
ip helper-address 172.16.0.54
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet1/0
description Voice LAN
no switchport
ip address 10.0.23.1 255.255.255.0
ip helper-address 172.16.0.54
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description Verizon DSL
ip address 71.252.113.99 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
access-list 7 permit 192.168.23.0
access-list 7 permit 10.0.23.0 0.0.0.255
ip nat inside source list 7 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 71.252.113.1
All traceroutes from the client pc’s from the inside interface fail. All traceroutes from the router itself are successful.
When I do a “sho ip nat translations” it is blank.
Is there anything that looks wrong with this?
Xie Yao,
Thank you for the information for getting through the firewall. I will take this to my FW vendor and try to make this work. If successful I will abandon NAT'ing via the cisco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide