cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
313
Views
25
Helpful
8
Replies

DMVPN tunnel down with NAT outside

Hello,

 

I have a DMVPN setup, and i am adding a new spoke with the public IP on my router interface g0/0/0.

When i add the command "ip nat outside" to the g0/0/0 interface, the DMVPN is down and the tunnel also is down, and they are up when removing the "ip nat outside".

I have more than 50 connected branches, but the problem is only with this branch.

router model is ISR4331.

and the certificates are pulled from the CA server, authenticated and enrolled.

========

spoke config

========

 

crypto isakmp policy 20
encr aes 256
hash md5
group 2
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP_AES256_SHA
!

interface Tunnel1
description -Link-To-HUB1-Tunnel1-
bandwidth 1000
ip address 100.100.100.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 100.100.100.1 x.x.x.x
ip nhrp map multicastx.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 100.100.100.1
ip nhrp registration timeout 5
ip nhrp shortcut
ip nhrp redirect
zone-member security wan
ip tcp adjust-mss 1360
delay 500
if-state nhrp
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN shared

!

interface Tunnel2
description -Link-To-HUB2-Tunnel2-
bandwidth 1000
ip address 100.100.200.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 100.100.200.1 y.y.y.y
ip nhrp map multicast y.y.y.y
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 100.100.200.1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 10
if-state nhrp
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN shared

!

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 101 permit ip any any

!

 

Any idea

4 ACCEPTED SOLUTIONS

Accepted Solutions
Georg Pauwen
VIP Expert

Hello,

 

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

--> access-list 101 permit ip any any

 

An access list that allows any to any is usually not a good idea. Change the access list to reflect the actual inside networks, and make that a standard access list, e.g.:

 

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 1 permit 192.x.x.x 0.0.0.255

View solution in original post

So the config is same on all routers and working ? Look at the config, since you confirmed all working.

 

access-list 101 permit ip any any   - can this be granular with known IP address than any any for testing

 

p nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

 

 



BB


*** Rate All Helpful Responses ***

View solution in original post

paul driver
VIP Mentor

Hello
You have what looks like ZBFW appended to one the tunnels but i don't see it anywhere else, also i don't see any nat inside domain applied to any interfaces?

As already stated by @Georg Pauwen  it isn't recommended to have a nat acl with "any any" you need to be more specific in the access-list entry statement for the subnets you wish to be translated

no access-list 101 permit ip any any
access-list 101 permit ip x.x.x.x 0.0.0.255 any

 

Also as for the default static route - is the gig0/0/0 interface statically addressed or is it a dhcp client?
So would suggest to change this to accommodate for either.

no ip route 0.0.0.0 0.0.0.0 a.b.c.d
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 a.b.c.d

or 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

MHM Cisco World
Rising star

 you want direct access internet with DMVPN, 
so LAN traffic will first route through the tunnel then build tunnel then go through WAN.
the traffic of LAN that directly route through the WAN need NAT here.
so config ACL to make only the LAN directly route through WAN NAT.

View solution in original post

8 REPLIES 8
balaji.bandi
VIP Expert

what is the hub side config ? is this dual HUB setup ?



BB


*** Rate All Helpful Responses ***

I really do not have the hub config, and yes it is a dual HUB setup.

balaji.bandi
VIP Expert

we need to other side config also to understand the issue, you mentioned otehr 50 site working, what is the difference you see here ?

 

Model / Version of code ? / Config ?  - all 50 connected to same Dual Hub ?



BB


*** Rate All Helpful Responses ***

The only difference is with the router model, others are having the 2800 routers.

 

So the config is same on all routers and working ? Look at the config, since you confirmed all working.

 

access-list 101 permit ip any any   - can this be granular with known IP address than any any for testing

 

p nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

 

 



BB


*** Rate All Helpful Responses ***

View solution in original post

Georg Pauwen
VIP Expert

Hello,

 

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

--> access-list 101 permit ip any any

 

An access list that allows any to any is usually not a good idea. Change the access list to reflect the actual inside networks, and make that a standard access list, e.g.:

 

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 1 permit 192.x.x.x 0.0.0.255

View solution in original post

paul driver
VIP Mentor

Hello
You have what looks like ZBFW appended to one the tunnels but i don't see it anywhere else, also i don't see any nat inside domain applied to any interfaces?

As already stated by @Georg Pauwen  it isn't recommended to have a nat acl with "any any" you need to be more specific in the access-list entry statement for the subnets you wish to be translated

no access-list 101 permit ip any any
access-list 101 permit ip x.x.x.x 0.0.0.255 any

 

Also as for the default static route - is the gig0/0/0 interface statically addressed or is it a dhcp client?
So would suggest to change this to accommodate for either.

no ip route 0.0.0.0 0.0.0.0 a.b.c.d
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 a.b.c.d

or 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

 



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

MHM Cisco World
Rising star

 you want direct access internet with DMVPN, 
so LAN traffic will first route through the tunnel then build tunnel then go through WAN.
the traffic of LAN that directly route through the WAN need NAT here.
so config ACL to make only the LAN directly route through WAN NAT.

View solution in original post