Solved: Re: DMVPN tunnel down with NAT outside - Cisco Community

1058

Views

25

Helpful

8

Replies

Hello,

I have a DMVPN setup, and i am adding a new spoke with the public IP on my router interface g0/0/0.

When i add the command "ip nat outside" to the g0/0/0 interface, the DMVPN is down and the tunnel also is down, and they are up when removing the "ip nat outside".

I have more than 50 connected branches, but the problem is only with this branch.

router model is ISR4331.

and the certificates are pulled from the CA server, authenticated and enrolled.

========

spoke config

========

crypto isakmp policy 20
encr aes 256
hash md5
group 2
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP_AES256_SHA
!

interface Tunnel1
description -Link-To-HUB1-Tunnel1-
bandwidth 1000
ip address 100.100.100.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 100.100.100.1 x.x.x.x
ip nhrp map multicastx.x.x.x
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 100.100.100.1
ip nhrp registration timeout 5
ip nhrp shortcut
ip nhrp redirect
zone-member security wan
ip tcp adjust-mss 1360
delay 500
if-state nhrp
keepalive 10 3
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile DMVPN shared

!

interface Tunnel2
description -Link-To-HUB2-Tunnel2-
bandwidth 1000
ip address 100.100.200.x 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map 100.100.200.1 y.y.y.y
ip nhrp map multicast y.y.y.y
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 100.100.200.1
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
delay 10
if-state nhrp
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile DMVPN shared

!

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 101 permit ip any any

!

Any idea

4 Accepted Solutions

Accepted Solutions

Hello,

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

--> access-list 101 permit ip any any

An access list that allows any to any is usually not a good idea. Change the access list to reflect the actual inside networks, and make that a standard access list, e.g.:

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 1 permit 192.x.x.x 0.0.0.255

View solution in original post

So the config is same on all routers and working ? Look at the config, since you confirmed all working.

access-list 101 permit ip any any - can this be granular with known IP address than any any for testing

p nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Hello
You have what looks like ZBFW appended to one the tunnels but i don't see it anywhere else, also i don't see any nat inside domain applied to any interfaces?

As already stated by @Georg Pauwen it isn't recommended to have a nat acl with "any any" you need to be more specific in the access-list entry statement for the subnets you wish to be translated

no access-list 101 permit ip any any
access-list 101 permit ip x.x.x.x 0.0.0.255 any

Also as for the default static route - is the gig0/0/0 interface statically addressed or is it a dhcp client?
So would suggest to change this to accommodate for either.

no ip route 0.0.0.0 0.0.0.0 a.b.c.d
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 a.b.c.d

or

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

you want direct access internet with DMVPN,
so LAN traffic will first route through the tunnel then build tunnel then go through WAN.
the traffic of LAN that directly route through the WAN need NAT here.
so config ACL to make only the LAN directly route through WAN NAT.

View solution in original post

8 Replies 8

what is the hub side config ? is this dual HUB setup ?

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I really do not have the hub config, and yes it is a dual HUB setup.

we need to other side config also to understand the issue, you mentioned otehr 50 site working, what is the difference you see here ?

Model / Version of code ? / Config ? - all 50 connected to same Dual Hub ?

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The only difference is with the router model, others are having the 2800 routers.

So the config is same on all routers and working ? Look at the config, since you confirmed all working.

access-list 101 permit ip any any - can this be granular with known IP address than any any for testing

p nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

--> access-list 101 permit ip any any

An access list that allows any to any is usually not a good idea. Change the access list to reflect the actual inside networks, and make that a standard access list, e.g.:

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 a.b.c.d

!

access-list 1 permit 192.x.x.x 0.0.0.255

Hello
You have what looks like ZBFW appended to one the tunnels but i don't see it anywhere else, also i don't see any nat inside domain applied to any interfaces?

As already stated by @Georg Pauwen it isn't recommended to have a nat acl with "any any" you need to be more specific in the access-list entry statement for the subnets you wish to be translated

no access-list 101 permit ip any any
access-list 101 permit ip x.x.x.x 0.0.0.255 any

Also as for the default static route - is the gig0/0/0 interface statically addressed or is it a dhcp client?
So would suggest to change this to accommodate for either.

no ip route 0.0.0.0 0.0.0.0 a.b.c.d
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 a.b.c.d

or

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

you want direct access internet with DMVPN,
so LAN traffic will first route through the tunnel then build tunnel then go through WAN.
the traffic of LAN that directly route through the WAN need NAT here.
so config ACL to make only the LAN directly route through WAN NAT.

Review Cisco Networking products for a $25 gift card