cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2799
Views
0
Helpful
9
Replies

Route all traffic over DMVPN from Spoke to Hub and out ASA FW

ciscosupportMBI
Level 1
Level 1

All:

Here is my scenario:

 

MainSite (DMVPN HUB)- Cisco 2901 - Internal IP - 10.10.20.2

MainSite (Firewall) - Cisco ASA 5525x - Inside IP - 10.10.20.253

Remote Site (DMVPN SPOKE)- Cisco 881 - Inside IP - 10.10.186.1

 

I want all traffic from the Remote site (including internet traffic) to route through to the Main site and out the ASA for internet access. We have a passive Web Filter at the main site and we need to capture all DMVPN remote site's traffic. We do have an MPLS for a majority of our sites, but about a dozen DMVPN's still exist.

 

We use EIGRP as our routing protocol. 

I have a Core Switch at the Main Site that all servers/devices have their default-gateway set to. IP of 10.10.20.1. It's route of last resort is the ASA Firewall - 10.10.20.253

I have attempted a policy based route map to tag all interesting traffic and set a net-hop route, which does result in the route-map counter to tick up, but internet traffic is still going out the remote sites ISP. 

VPN tunnels are up and all internal routing is working well. I've scoured the interweb and haven't found a solution to my question. So I'm hoping someone much more experienced then I at this Cisco Stuff (I'm at best at the CCNA level) can help. Config examples extremely appreciated.

THANKS!!!

Here are the configs for 2 routers: (I'm assuming we don't need the ASA involved here)

SPOKE:

BO-LAB-RTR1#sh run

Building configuration...

 

Current configuration : 6594 bytes

!

! Last configuration change at 22:02:20 UTC Tue Mar 24 2015 by admin

! NVRAM config last updated at 19:47:01 UTC Tue Mar 24 2015 by brianb

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname BO-LAB-RTR1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

no logging console

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-220850891

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-220850891

 revocation-check none

 rsakeypair TP-self-signed-220850891

!

crypto pki certificate chain TP-self-signed-220850891

 certificate self-signed 01

         quit

ip source-route

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name mobasin.local

ip port-map user-meraki port udp 7734 7351 7752 description Meraki Cloud comms

ip port-map user-p8443 port tcp 8443 description bcbsnd website

ip port-map user-RDP port tcp 3389 description RDP

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw icmp

ip inspect name fw http

ip inspect name fw https

ip inspect name fw user-meraki

ip inspect name fw user-RDP

ip inspect name fw user-p8443

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FTX161983RT

!

ip tcp synwait-time 10

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

crypto isakmp key fun2run address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set DMVPN

!

interface Tunnel0

 description dmvpn-fargodcn

 bandwidth 1000

 ip address 10.254.100.186 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication XXXXXXX

 ip nhrp map 10.254.100.1 66.97.245.106

 ip nhrp map multicast xxx.xxx.245.106

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.254.100.1

 ip tcp adjust-mss 1360

 delay 1100

 tunnel source FastEthernet4

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile DMVPN shared

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ETH-LAN$$FW_OUTSIDE$

 ip address dhcp

 ip access-group outside_acl_in in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat outside

 ip inspect fw out

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface Vlan1

 description TestLAN

 ip address 10.10.186.1 255.255.255.0

 ip access-group inside_acl_in in

 ip helper-address 10.10.20.30

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 ip policy route-map vpn

 

router eigrp 100

 network 10.10.186.0 0.0.0.255

 network 10.254.100.0 0.0.0.255

 !

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 1000

!

ip nat inside source list 105 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended inside_acl_in

 deny   ip 72.20.74.0 0.0.0.63 any

 deny   ip host 255.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 permit ip any any

ip access-list extended outside_acl_in

 permit udp any any eq bootpc

 permit udp any any eq non500-isakmp

 permit udp any any eq isakmp

 permit gre any any

 permit esp any any

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit tcp any any eq 22

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip host 255.255.255.255 any

 deny   ip host 0.0.0.0 any

 deny   ip any any log

!

access-list 104 permit ip 10.10.186.0 0.0.0.255 any

access-list 105 deny   ip 10.10.186.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 105 permit ip 10.10.186.0 0.0.0.255 any

no cdp run

!

route-map vpn permit 10

 match ip address 105

set ip next-hop 10.10.20.1

!

 

HUB

rtr-far-dcn-2901#sh run

Building configuration...

 

Current configuration : 8380 bytes

!

! Last configuration change at 15:01:00 Denver Tue Mar 24 2015 by brianb

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr-far-dcn-2901

!

boot-start-marker

boot system flash:c2900-universalk9-mz.SPA.152-4.M2.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

clock timezone Denver -6 0

clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ip source-route

ip cef

!

no ip bootp server

ip domain name mobasin.com

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw icmp

ip inspect name fw dns

ip inspect name fw http

ip inspect name fw https

ip inspect name fw smtp max-data 4294967295

ip inspect name fw ntp

ip inspect name fw imap

ip inspect name fw imaps

ip inspect name fw pop3

ip inspect name fw pop3s

ip inspect name fw tcp

ip inspect name fw udp

no ipv6 cef

!

parameter-map type inspect global

 log dropped-packets enable

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1061911734

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1061911734

 revocation-check none

 rsakeypair TP-self-signed-1061911734

!

crypto pki certificate chain TP-self-signed-1061911734

 certificate self-signed 01

  quit

!

redundancy

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh version 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 3

 authentication pre-share

 group 2

!

crypto isakmp policy 4

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 5

 hash md5

 authentication pre-share

 group 2

crypto isakmp key fun2run address 0.0.0.0

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set ESP-AES128-SHA

!

interface Tunnel0

 description vpn - Fargo hub

 bandwidth 1000

 ip address 10.254.100.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip mtu 1400

 no ip next-hop-self eigrp 100

 ip flow ingress

 ip nhrp authentication XXXXXX

 ip nhrp map multicast dynamic

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip tcp adjust-mss 1360

 ip policy route-map vpn-internet

 delay 1000

 tunnel source GigabitEthernet0/1

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile DMVPN

!

interface Null0

 no ip unreachables

!

interface Embedded-Service-Engine0/0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 shutdown

!

interface GigabitEthernet0/0

 description lan - fargo dmvpn gateway

 ip address 10.10.20.2 255.255.255.0

 ip access-group inside_acl_in in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

 no mop enabled

!

interface GigabitEthernet0/1

 description wan - fargo dmvpn gateway

 ip address XXX.XXX.245.106 255.255.255.240

 ip access-group outside_acl_in in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat outside

 ip inspect fw out

 ip virtual-reassembly in

 duplex auto

 speed auto

!

interface FastEthernet0/0/0

 no ip address

 shutdown

!

interface FastEthernet0/0/1

 no ip address

 shutdown

!

interface FastEthernet0/0/2

 no ip address

 shutdown

!

interface FastEthernet0/0/3

 no ip address

 shutdown

!

interface Virtual-Template1

 ip unnumbered GigabitEthernet0/1

!

interface Vlan1

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

!

!

router eigrp 100

 network 10.10.0.0 0.0.255.255

 network 10.254.100.0 0.0.0.255

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

 top 10

 sort-by bytes

!

ip nat inside source route-map internet interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.245.110

!

ip access-list extended dmvpn-traffic

 deny   ip 10.10.186.0 0.0.0.255 10.10.0.0 0.0.255.255

 permit ip 10.10.186.0 0.0.0.255 any

ip access-list extended inside_acl_in

 deny   ip host 255.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 permit ip any any

ip access-list extended outside_acl_in

 permit udp any host XXX.XXX.245.106 eq non500-isakmp

 permit udp any host XXX.XXX.245.106 eq isakmp

 permit gre any host XXX.XXX.245.106

 permit esp any host XXX.XXX.245.106

 permit icmp any host XXX.XXX.245.106 echo-reply

 permit icmp any host XXX.XXX.245.106 time-exceeded

 permit icmp any host XXX.XXX.245.106 unreachable

 permit tcp any host XXX.XXX.245.106 eq 22 log

 permit udp any any eq bootpc

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip host 255.255.255.255 any

 deny   ip host 0.0.0.0 any

 deny   ip any any log

!

no logging trap

access-list 104 permit ip 10.10.20.0 0.0.0.255 any

access-list 104 permit ip 10.10.16.0 0.0.0.255 any

access-list 104 permit ip 10.10.15.0 0.0.0.255 any

no cdp run

!

route-map internet permit 1

 match ip address 104

!

route-map vpn-internet permit 10

 match ip address dmvpn-traffic

 set ip next-hop 10.10.20.253

!

 

 

 

 

2 Accepted Solutions

Accepted Solutions

If you can ping or traceroute to the ISP router in the main office then I can't see why it wouldn't go out to the internet.

The ASA must be translating your private IP to a public one for the ISP to be able to return the traffic.

Are you sure it is getting as far as the ISP router ?

Jon

View solution in original post

JOHN VOLTER
Level 1
Level 1
9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

I'm not sure using PBR is the right solution.

What you can do is create a VRF and put your LAN and tunnel interfaces into the VRF and then pass  a default route from the hub via EIGRP.

The router will still use the default route in the global routing table to build the tunnel over the internet but your clients at the spoke site will use the VRF default route pointing back to the hub.

See this thread for configuration details -

https://supportforums.cisco.com/discussion/12319916/dmvpn-default-gateway-issue

Jon

Thanks for the assistance Jon,

I got it a bit further with the article you shared. WIth some additional tweeking of the config in the example I now can ping the ISPs router. when doing a tracert from a client,  I also see every hop along the way (execpt the ASA). I just can't see to get it to ping 8.8.8.8 even though from everywhere else on the network I can.  I can ping the vlan interface and workstation on that router from the ASA, so I know routing is working (or so it seems) and I'm traversing the ASA when getting to the ISP router.

Here's the config I came up with to get me this far. This is on the Spoke. I've made no changes other then to back out any policy maps or Access-lists referring to the spoke on the HUB.

Any additional Help Appreciated.

 

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname BO-LAB-RTR1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

 

aaa session-id common

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-220850891

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-220850891

 revocation-check none

 rsakeypair TP-self-signed-220850891

!

crypto pki certificate chain TP-self-signed-220850891

 certificate self-signed 01

no ip source-route

!

ip vrf VRF_LAN

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name mobasin.local

ip port-map user-meraki port udp 7734 7351 7752 description Meraki Cloud comms

ip port-map user-p8443 port tcp 8443 description bcbsnd website

ip port-map user-RDP port tcp 3389 description RDP

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw http

ip inspect name fw https

ip inspect name fw user-meraki

ip inspect name fw user-RDP

ip inspect name fw user-p8443

no ipv6 cef

!

ip tcp synwait-time 10

!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

crypto isakmp key fun2run address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac

 mode transport

!

crypto ipsec profile DMVPN

 set transform-set DMVPN

!

interface Tunnel0

 description dmvpn-fargodcn

 bandwidth 1000

 ip vrf forwarding VRF_LAN

 ip address 10.254.100.186 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication D1M2VPN!

 ip nhrp map 10.254.100.1 XXX.XXX.245.106

 ip nhrp map multicast XXX.XXX.245.106

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip nhrp nhs 10.254.100.1

 ip tcp adjust-mss 1360

 delay 1100

 tunnel source FastEthernet4

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile DMVPN shared

!

interface Tunnel1

 description dmvpn-Bismarckdcn

 bandwidth 1000

 ip vrf forwarding VRF_LAN

 ip address 10.254.101.186 255.255.255.0

 no ip redirects

 ip mtu 1400

 ip nhrp authentication D1M2VPN!

 ip nhrp map multicast XXX.XXX.245.90

 ip nhrp map 10.254.101.1 XXX.XXX.245.90

 ip nhrp network-id 100001

 ip nhrp holdtime 360

 ip nhrp nhs 10.254.101.1

 ip tcp adjust-mss 1360

 delay 1100

 shutdown

 tunnel source FastEthernet4

 tunnel mode gre multipoint

 tunnel key 100001

 tunnel protection ipsec profile DMVPN shared

 !

interface Null0

 no ip unreachables

!

interface FastEthernet0

 switchport access vlan 186

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ETH-LAN$$FW_OUTSIDE$

 ip address dhcp

 ip access-group outside_acl_in in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat outside

 ip inspect fw out

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface Vlan1

 no ip address

!

interface Vlan186

 ip vrf forwarding VRF_LAN

 ip address 10.10.186.1 255.255.255.0

 ip helper-address 10.10.20.30

!

router eigrp 1

 !

 address-family ipv4 vrf VRF_LAN autonomous-system 100

  network 10.10.186.0 0.0.0.255

  network 10.254.100.0 0.0.0.255

  network 10.254.101.0 0.0.0.255

  eigrp router-id 10.254.100.186

 exit-address-family

 passive-interface default

 no passive-interface Tunnel0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 1000

!

ip route vrf VRF_LAN 0.0.0.0 0.0.0.0 10.10.20.1

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended outside_acl_in

 permit udp any any eq bootpc

 permit udp any any eq non500-isakmp

 permit udp any any eq isakmp

 permit gre any any

 permit esp any any

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit tcp any any eq 22

 deny   ip 10.0.0.0 0.255.255.255 any

 deny   ip 172.16.0.0 0.15.255.255 any

 deny   ip 192.168.0.0 0.0.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 deny   ip host 255.255.255.255 any

 deny   ip host 0.0.0.0 any

 deny   ip any any log

!

no cdp run

 

 

If you can ping or traceroute to the ISP router in the main office then I can't see why it wouldn't go out to the internet.

The ASA must be translating your private IP to a public one for the ISP to be able to return the traffic.

Are you sure it is getting as far as the ISP router ?

Jon

Yup... Here's the catch, I couldn't get that far until i put in 

no ip source-route

It was enabled in the original config. Once I removed that I could ping the ISP router, but still not past that.

I've also opened a TAC case to see if they can determine what else I'm missing along my path.

One article I was reading had the VRF setup on both sides of the Tunnel (hub and spoke), is that maybe something I'm missing?

 

Thanks!

Brian

Brian

You should need the hub to be in the VRF if you don't need it to be.

So does a "sh ip route" on the spoke show the public subnet reachable via the hub router ?

Jon

Hello Jon,

Looking closer at the hub we realized routes were pointing towards the ISP, instead of pointing to the 3850 so traffic could get to the firewall.  Once the appropriate route was added, it started working.

 

Have a good day :)

Also, If I remove the vrf default route, I can still ping it. I'm thinking because since the ASA participates in the eigrp neighborhood and has redistribute static it can see it's distributing the public subnet. 

And when i put the "global" parameter after the route statement, and do a "sh ip route vrf *" the vrf table no longer has the gateway of last resort listed.

 

Ok.. The above config on the Spoke is the Correct Config. The problem was the default route on the Hub. It was leftover from when that router was still the core router for the organization and it had 0.0.0.0 0.0.0.0 pointing to the ISP router instead of my inside Core Switch. So when the packets were destined for anything other than what EIGRP knew about it would time out trying to send it out with no PAT to get back in.

Once I changed the default route to the core switch, the packets were happy!

Thanks again for the assistance!  

JOHN VOLTER
Level 1
Level 1

Hello ciscosupportmbi

Have you looked at the front door VRF design? (fVRF)

 

https://www.google.com/#q=cisco+dmvpn+front+door+vrf

Review Cisco Networking for a $25 gift card