Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
2
Helpful
5
Replies

Need assistance with CGNAT/NAT within DMVPN environment

Gene Geng
Level 1
Level 1

‎03-19-2024 10:31 AM

My objective whether using Starlink, TMHI, or other vendor that uses CGNAT/NAT to give out IP addresses (Starlink 100.64.0.0 or TMHI 192.168.12.0) is to configure DHCP on the physical interface for Remote2-vpn router on the drawing and NAT into an ip address that I can control (192.168.23.2) and about to talk to other nodes like 172.16.200.1 and 172.16.200.128.

I have the DHCP/Translation working (if I designed/configured it right) but I cannot ping 172.16.200.1 or 172.16.200.128.

Any help is GREATLY appreciated.

Attached is the DMVPN config parts of the DHCP router remote2-vpn and a drawing.

 

 

Labels:
Preview file
398 KB
Preview file
2 KB
0 Helpful
5 Replies 5

Torbjørn
VIP
VIP

‎03-19-2024 01:08 PM

You will need to provide a bit more info to be able to help you. What is the output of show dmvpn, show ip eigrp neighbour and show ip route? Can you post the config + show commands rom the hub as well? 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

MHM Cisco World
VIP
VIP

‎03-19-2024 01:38 PM

for any spoke behind NAT

use ipsec transform AH not ESP and use transport not tunnel mode 

MHM

Gene Geng
Level 1
Level 1
In response to MHM Cisco World

‎03-20-2024 07:43 AM

Thanks for the response. I've changed my crypto ipsec transform-set to:

crypto ipsec transform-set nex_ts ah-sha-hmac

 mode transport. After this change, I was unable to ping 172.16.200.1. I'm assuming you have to match the transport on the headend router (hqvpn) which I did.

I took out all the NAT stuff and went back to the original DMVPN configuration with a static ip address on Gi0/1 just to make sure I could ping 172.16.200.1 and 172.16.200.128. All pings.

When i start doing NAT and DHCP, thats where i'm unsure. We've always used transport mode tunnel and ESP.

What I'm trying to do is: normally when we order a mpls circuit or internet circuit we ask for a static IP address. Of course, Starlink and TMHI cannot give you a static IP. 

We use the static IP address in ACLs to allow/deny what each router in our DMVPN environment can talk to and cannot talk to.

Any other ideas?

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Gene Geng

‎03-20-2024 08:08 AM

sorry can you more elaborate
and for using ACL you can use ACL or you can filter subnet to make some Spoke LAN is hidden from other Spoke and Hub

MHM 

0 Helpful

Gene Geng
Level 1
Level 1
In response to MHM Cisco World

‎03-20-2024 08:17 AM - edited ‎03-20-2024 08:18 AM

ip access-list extended VPN  {this ACL we configure on the outside interface on the circuit, Gi0/1 and always ip access-group VPN in}
permit ip host 192.168.123.2 host 192.168.23.2
permit ip host 192.168.223.2 host 192.168.23.2

We have this similar ACL on all of DMVPN spokes.

it permits other Spokes outside IP address [from Cox, Lumen, etc] to communicate with this local router Physical outside IP address. That's how we control what talks with what in our DMVPN/Internet environment.

 

0 Helpful
Customers Also Viewed These Support Documents