Solved: Route all traffic over DMVPN from Spoke to Hub and out ASA FW

ciscosupportMBI · ‎03-24-2015

All:

Here is my scenario:

MainSite (DMVPN HUB)- Cisco 2901 - Internal IP - 10.10.20.2

MainSite (Firewall) - Cisco ASA 5525x - Inside IP - 10.10.20.253

Remote Site (DMVPN SPOKE)- Cisco 881 - Inside IP - 10.10.186.1

I want all traffic from the Remote site (including internet traffic) to route through to the Main site and out the ASA for internet access. We have a passive Web Filter at the main site and we need to capture all DMVPN remote site's traffic. We do have an MPLS for a majority of our sites, but about a dozen DMVPN's still exist.

We use EIGRP as our routing protocol.

I have a Core Switch at the Main Site that all servers/devices have their default-gateway set to. IP of 10.10.20.1. It's route of last resort is the ASA Firewall - 10.10.20.253

I have attempted a policy based route map to tag all interesting traffic and set a net-hop route, which does result in the route-map counter to tick up, but internet traffic is still going out the remote sites ISP.

VPN tunnels are up and all internal routing is working well. I've scoured the interweb and haven't found a solution to my question. So I'm hoping someone much more experienced then I at this Cisco Stuff (I'm at best at the CCNA level) can help. Config examples extremely appreciated.

THANKS!!!

Here are the configs for 2 routers: (I'm assuming we don't need the ASA involved here)

SPOKE:

BO-LAB-RTR1#sh run

Building configuration...

Current configuration : 6594 bytes

!

! Last configuration change at 22:02:20 UTC Tue Mar 24 2015 by admin

! NVRAM config last updated at 19:47:01 UTC Tue Mar 24 2015 by brianb

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname BO-LAB-RTR1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

no logging console

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-220850891

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-220850891

revocation-check none

rsakeypair TP-self-signed-220850891

!

crypto pki certificate chain TP-self-signed-220850891

certificate self-signed 01

quit

ip source-route

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name mobasin.local

ip port-map user-meraki port udp 7734 7351 7752 description Meraki Cloud comms

ip port-map user-p8443 port tcp 8443 description bcbsnd website

ip port-map user-RDP port tcp 3389 description RDP

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw icmp

ip inspect name fw http

ip inspect name fw https

ip inspect name fw user-meraki

ip inspect name fw user-RDP

ip inspect name fw user-p8443

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FTX161983RT

!

ip tcp synwait-time 10

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key fun2run address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set DMVPN

!

interface Tunnel0

description dmvpn-fargodcn

bandwidth 1000

ip address 10.254.100.186 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication XXXXXXX

ip nhrp map 10.254.100.1 66.97.245.106

ip nhrp map multicast xxx.xxx.245.106

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.254.100.1

ip tcp adjust-mss 1360

delay 1100

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-LAN$$FW_OUTSIDE$

ip address dhcp

ip access-group outside_acl_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect fw out

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description TestLAN

ip address 10.10.186.1 255.255.255.0

ip access-group inside_acl_in in

ip helper-address 10.10.20.30

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map vpn

router eigrp 100

network 10.10.186.0 0.0.0.255

network 10.254.100.0 0.0.0.255

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 1000

!

ip nat inside source list 105 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended inside_acl_in

deny ip 72.20.74.0 0.0.0.63 any

deny ip host 255.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

ip access-list extended outside_acl_in

permit udp any any eq bootpc

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit gre any any

permit esp any any

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit tcp any any eq 22

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

deny ip any any log

!

access-list 104 permit ip 10.10.186.0 0.0.0.255 any

access-list 105 deny ip 10.10.186.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 105 permit ip 10.10.186.0 0.0.0.255 any

no cdp run

!

route-map vpn permit 10

match ip address 105

set ip next-hop 10.10.20.1

!

HUB

rtr-far-dcn-2901#sh run

Building configuration...

Current configuration : 8380 bytes

!

! Last configuration change at 15:01:00 Denver Tue Mar 24 2015 by brianb

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr-far-dcn-2901

!

boot-start-marker

boot system flash:c2900-universalk9-mz.SPA.152-4.M2.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

clock timezone Denver -6 0

clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ip source-route

ip cef

!

no ip bootp server

ip domain name mobasin.com

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw icmp

ip inspect name fw dns

ip inspect name fw http

ip inspect name fw https

ip inspect name fw smtp max-data 4294967295

ip inspect name fw ntp

ip inspect name fw imap

ip inspect name fw imaps

ip inspect name fw pop3

ip inspect name fw pop3s

ip inspect name fw tcp

ip inspect name fw udp

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1061911734

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1061911734

revocation-check none

rsakeypair TP-self-signed-1061911734

!

crypto pki certificate chain TP-self-signed-1061911734

certificate self-signed 01

quit

!

redundancy

!

ip tcp synwait-time 10

no ip ftp passive

ip ssh version 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

authentication pre-share

group 2

!

crypto isakmp policy 4

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto isakmp key fun2run address 0.0.0.0

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-AES128-SHA

!

interface Tunnel0

description vpn - Fargo hub

bandwidth 1000

ip address 10.254.100.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

no ip next-hop-self eigrp 100

ip flow ingress

ip nhrp authentication XXXXXX

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

ip policy route-map vpn-internet

delay 1000

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description lan - fargo dmvpn gateway

ip address 10.10.20.2 255.255.255.0

ip access-group inside_acl_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description wan - fargo dmvpn gateway

ip address XXX.XXX.245.106 255.255.255.240

ip access-group outside_acl_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect fw out

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/0

no ip address

shutdown

!

interface FastEthernet0/0/1

no ip address

shutdown

!

interface FastEthernet0/0/2

no ip address

shutdown

!

interface FastEthernet0/0/3

no ip address

shutdown

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/1

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

router eigrp 100

network 10.10.0.0 0.0.255.255

network 10.254.100.0 0.0.0.255

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat inside source route-map internet interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.245.110

!

ip access-list extended dmvpn-traffic

deny ip 10.10.186.0 0.0.0.255 10.10.0.0 0.0.255.255

permit ip 10.10.186.0 0.0.0.255 any

ip access-list extended inside_acl_in

deny ip host 255.255.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

permit ip any any

ip access-list extended outside_acl_in

permit udp any host XXX.XXX.245.106 eq non500-isakmp

permit udp any host XXX.XXX.245.106 eq isakmp

permit gre any host XXX.XXX.245.106

permit esp any host XXX.XXX.245.106

permit icmp any host XXX.XXX.245.106 echo-reply

permit icmp any host XXX.XXX.245.106 time-exceeded

permit icmp any host XXX.XXX.245.106 unreachable

permit tcp any host XXX.XXX.245.106 eq 22 log

permit udp any any eq bootpc

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

deny ip any any log

!

no logging trap

access-list 104 permit ip 10.10.20.0 0.0.0.255 any

access-list 104 permit ip 10.10.16.0 0.0.0.255 any

access-list 104 permit ip 10.10.15.0 0.0.0.255 any

no cdp run

!

route-map internet permit 1

match ip address 104

!

route-map vpn-internet permit 10

match ip address dmvpn-traffic

set ip next-hop 10.10.20.253

!

Jon Marshall · ‎03-25-2015

If you can ping or traceroute to the ISP router in the main office then I can't see why it wouldn't go out to the internet.

The ASA must be translating your private IP to a public one for the ISP to be able to return the traffic.

Are you sure it is getting as far as the ISP router ?

Jon

View solution in original post

JOHN VOLTER · ‎03-25-2015

Hello ciscosupportmbi

Have you looked at the front door VRF design? (fVRF)

https://www.google.com/#q=cisco+dmvpn+front+door+vrf

View solution in original post

Jon Marshall · ‎03-25-2015

I'm not sure using PBR is the right solution.

What you can do is create a VRF and put your LAN and tunnel interfaces into the VRF and then pass a default route from the hub via EIGRP.

The router will still use the default route in the global routing table to build the tunnel over the internet but your clients at the spoke site will use the VRF default route pointing back to the hub.

See this thread for configuration details -

https://supportforums.cisco.com/discussion/12319916/dmvpn-default-gateway-issue

Jon

ciscosupportMBI · ‎03-25-2015

Thanks for the assistance Jon,

I got it a bit further with the article you shared. WIth some additional tweeking of the config in the example I now can ping the ISPs router. when doing a tracert from a client, I also see every hop along the way (execpt the ASA). I just can't see to get it to ping 8.8.8.8 even though from everywhere else on the network I can. I can ping the vlan interface and workstation on that router from the ASA, so I know routing is working (or so it seems) and I'm traversing the ASA when getting to the ISP router.

Here's the config I came up with to get me this far. This is on the Spoke. I've made no changes other then to back out any policy maps or Access-lists referring to the spoke on the HUB.

Any additional Help Appreciated.

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname BO-LAB-RTR1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

!

aaa new-model

!

aaa authentication login local_authen local

aaa authorization exec local_author local

aaa session-id common

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-220850891

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-220850891

revocation-check none

rsakeypair TP-self-signed-220850891

!

crypto pki certificate chain TP-self-signed-220850891

certificate self-signed 01

no ip source-route

!

ip vrf VRF_LAN

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name mobasin.local

ip port-map user-meraki port udp 7734 7351 7752 description Meraki Cloud comms

ip port-map user-p8443 port tcp 8443 description bcbsnd website

ip port-map user-RDP port tcp 3389 description RDP

ip inspect log drop-pkt

ip inspect name fw realaudio

ip inspect name fw streamworks

ip inspect name fw ssh

ip inspect name fw ftp

ip inspect name fw http

ip inspect name fw https

ip inspect name fw user-meraki

ip inspect name fw user-RDP

ip inspect name fw user-p8443

no ipv6 cef

!

ip tcp synwait-time 10

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key fun2run address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set DMVPN

!

interface Tunnel0

description dmvpn-fargodcn

bandwidth 1000

ip vrf forwarding VRF_LAN

ip address 10.254.100.186 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication D1M2VPN!

ip nhrp map 10.254.100.1 XXX.XXX.245.106

ip nhrp map multicast XXX.XXX.245.106

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.254.100.1

ip tcp adjust-mss 1360

delay 1100

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile DMVPN shared

!

interface Tunnel1

description dmvpn-Bismarckdcn

bandwidth 1000

ip vrf forwarding VRF_LAN

ip address 10.254.101.186 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication D1M2VPN!

ip nhrp map multicast XXX.XXX.245.90

ip nhrp map 10.254.101.1 XXX.XXX.245.90

ip nhrp network-id 100001

ip nhrp holdtime 360

ip nhrp nhs 10.254.101.1

ip tcp adjust-mss 1360

delay 1100

shutdown

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 100001

tunnel protection ipsec profile DMVPN shared

!

interface Null0

no ip unreachables

!

interface FastEthernet0

switchport access vlan 186

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-LAN$$FW_OUTSIDE$

ip address dhcp

ip access-group outside_acl_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect fw out

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan186

ip vrf forwarding VRF_LAN

ip address 10.10.186.1 255.255.255.0

ip helper-address 10.10.20.30

!

router eigrp 1

!

address-family ipv4 vrf VRF_LAN autonomous-system 100

network 10.10.186.0 0.0.0.255

network 10.254.100.0 0.0.0.255

network 10.254.101.0 0.0.0.255

eigrp router-id 10.254.100.186

exit-address-family

passive-interface default

no passive-interface Tunnel0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 1000

!

ip route vrf VRF_LAN 0.0.0.0 0.0.0.0 10.10.20.1

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended outside_acl_in

permit udp any any eq bootpc

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit gre any any

permit esp any any

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit tcp any any eq 22

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

deny ip any any log

!

no cdp run

Jon Marshall · ‎03-25-2015

If you can ping or traceroute to the ISP router in the main office then I can't see why it wouldn't go out to the internet.

The ASA must be translating your private IP to a public one for the ISP to be able to return the traffic.

Are you sure it is getting as far as the ISP router ?

Jon

ciscosupportMBI · ‎03-25-2015

Yup... Here's the catch, I couldn't get that far until i put in

no ip source-route

It was enabled in the original config. Once I removed that I could ping the ISP router, but still not past that.

I've also opened a TAC case to see if they can determine what else I'm missing along my path.

One article I was reading had the VRF setup on both sides of the Tunnel (hub and spoke), is that maybe something I'm missing?

Thanks!

Brian

Jon Marshall · ‎03-25-2015

Brian

You should need the hub to be in the VRF if you don't need it to be.

So does a "sh ip route" on the spoke show the public subnet reachable via the hub router ?

Jon

sandmuno · ‎03-27-2015

Hello Jon,

Looking closer at the hub we realized routes were pointing towards the ISP, instead of pointing to the 3850 so traffic could get to the firewall. Once the appropriate route was added, it started working.

Have a good day :)

ciscosupportMBI · ‎03-25-2015

Also, If I remove the vrf default route, I can still ping it. I'm thinking because since the ASA participates in the eigrp neighborhood and has redistribute static it can see it's distributing the public subnet.

And when i put the "global" parameter after the route statement, and do a "sh ip route vrf *" the vrf table no longer has the gateway of last resort listed.

ciscosupportMBI · ‎03-26-2015

Ok.. The above config on the Spoke is the Correct Config. The problem was the default route on the Hub. It was leftover from when that router was still the core router for the organization and it had 0.0.0.0 0.0.0.0 pointing to the ISP router instead of my inside Core Switch. So when the packets were destined for anything other than what EIGRP knew about it would time out trying to send it out with no PAT to get back in.

Once I changed the default route to the core switch, the packets were happy!

Thanks again for the assistance!

JOHN VOLTER · ‎03-25-2015

Hello ciscosupportmbi

Have you looked at the front door VRF design? (fVRF)

https://www.google.com/#q=cisco+dmvpn+front+door+vrf