we have mgre setup which we are connecting to home offices from head office over DSL lines at home office side.
everything working fine, the tunnel is up and running but the internet connection getting droped frequently, but to my surprise the vpn connection is active and working.
gre tunnel is formed over dsl (same as DMVPN) to connect head office and normal internet traffic will go through nat device towards internet.
lan ip is provided to the pc through DHCP server from the router 881.
My topology is like
Head Office(cisco 1941)---->Internet--------->nat device---->cisco 881---->PC.
i can ping to head office continuously but when i am doing the same with internet the packets are getting droped .
attaching the cisco 881 config.
can any one help..
Can you post the results of 'show ip nat translations' when you are initiating traffic from the spoke (home office). I want to make sure a translation is taking place.
Also, can you post the results from a traceroute to 220.127.116.11 from a PC on that spoke.
Looking at you first file you sent, (I cannot open the second one you posted )
You have a 192.168.50.0/24 being advertiesd by rip but you pysical interface is /29
and your acl statement for NAT doesnt look correct with denying 192.168.1.0/24 and 192.168.2.0/24 and permmiting everything else even though they are not in the same subnetwork of the physical interface - I would specify the actual subnet to be permitted and not leave it to ip any any.
You seem to have only part of the cryptographic vpn configured, are you wanting to use ipsec also ?
For your NHRP sepcifying a tunnel mode, enabling multicast and NOT as far as I am aware specifying a tunnel destination
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 - ( on HUB and SPOKE - this adds dynamic pre−shared keys for all of the remote VPNs)
crypto ipsec transform-set NHRP esp-3des esp-md5-hmac
crypto ipsec profile TEST
set security-association lifetime seconds xxx
set transform-set NHRP
ip nhrp map multicast dynamic
NO tunnel destination
tunnel mode gre multipoint
tunnel protection ipsec profile TEST
no access-list 2000
access-list 2000 permit ip
Please don't forget to rate any posts that have been helpful.
thank you for the reply..
we have home offices in different regions and some isps blocking port 4500 so i am not using ipsec for them.
as per the natting, the access list filters the traffic going on wan , and direct the intrested traffic on tunnel and all other will be going to internet so i specified any any.
and the rip, there is nothing wrong with the network connection to my head office and there are no packet drops on the tunnel, but when i am pinging to ips like 18.104.22.168 and 22.214.171.124 the pings started to getting droped after 5 or 10 min.