Re: dmvpn with nat

Zamilnewbie · ‎05-13-2019

Hi,i have made lab with1 HUB and 2 SPOKE phase 1 dmvpn over ipsec .Also rip routing protocol activated in points. Local networks can access other sites with rip.I also want they can be accessed to the internet over the nat .Any helps appreciated.Here is the my config files attached

Georg Pauwen · ‎05-13-2019

Hello,

you have default routes already in place pointing the the NAT outside interface. Basically, all you need to do is add statoc routes to the local networks pointing to the tunnel and change the NAT access lists:

Hub

ip route 192.168.8.0 0.0.0.255 Tunnel0
ip route 192.168.9.0 0.0.0.255 Tunnel0
!
ip nat source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.8.8.2
!
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.7.0 0.0.0.255 any

Spoke 1

ip route 192.168.7.0 0.0.0.255 Tunnel0
!
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any

Spoke 2

ip route 192.168.7.0 0.0.0.255 Tunnel0
!
access-list 101 deny ip 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip 192.168.9.0 0.0.0.255 any

Zamilnewbie · ‎05-13-2019

Thanks for your answer
i dont want to restict access between hub and spokes for local communication.they have rip between them.need to access internet for local networks

Giuseppe Larosa · ‎05-13-2019

Hello Zamil,

you have NAT configured on each router. So at the moment each site access the Internet indipendently.

Just to clarify, do you would like that traffic from spoke1 and spoke2 would go the Internet using DMVPN and exiting at the hub router/site instead of using local NAT?

Best Regards

Giuseppe

Zamilnewbie · ‎05-13-2019

Thanks for your answer,

i would check for both access to internet by local and through tunnel .Whats the best practices? ,also rip is configured on points ,should i write that access-lists too which you mentioned

Zamilnewbie · ‎05-13-2019

Thanks for your answer,

i would check for both access to internet by local and through tunnel .Whats the best practices?

Zamilnewbie · ‎05-14-2019

any ideas ,pls ?

Giuseppe Larosa · ‎05-14-2019

Hello Zamil,

if you would like to go the internet via the hub site only using the DMVPN from the spoke sites you should do the following:

a) remove NAT configuration on the spoke routers (to simplify or leave it)

b) make on the spokes the static default route floating with AD 200 for example

c) on the hub use

router ospf

default-information originate

! this is to generate an OSPF default route to be sent over the DMVN tunnel

exit

interface tunnel <DMVPN-tunnel#>

ip nat inside

Change the NAT configuration , the ACLs on the hub so that also traffic from soke remote LAN subnets will be natted.

For more security the extended NAT ACL should deny traffic between remote site LANs and local LAN to avoid them to be NATTED.

CAUTION: I have never tried this kind of configuration, so if you have a production network I would suggest testing this in a lab.

Hope to help

Giuseppe

Zamilnewbie · ‎05-20-2019

not working,its making me crazy

Georg Pauwen · ‎05-20-2019

Hello,

post the current full configurations of your routers, with the changes you have implemented...