Enable DIA on ISR1K SD-WAN routers

Thet Pying Soe · ‎08-29-2020

I would like to use Internet directly exit from my ISR1K SD-WAN routers otherwise enabling DIA on this routes.I can’t enable NAT on SVI interface which is using as service VPN. How can I do it?

Eng_Muqrin · ‎09-08-2020

you should be configure DIA in vManage, See below link

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2020aug.pdf

gilbert.aispuro1 · ‎09-08-2020

To relate to your case, I had to deploy a ISR1100 to a small site with 1 ISP. Usually I have ISR4331/4351's. So my example is DIA with 1 ISP, but you can replicate the steps to add more ISPs if you wanted.

SO, in your Transport VPN aka VPN0 "Cisco VPN" template, make sure you add an IPv4 Route for the one ISP with the following:

"Prefix" as 0.0.0.0/0 (Match All Traffic)

"Gateway" as Next Hop

"Selected Gateway Configuration" as ISP Gateway IP

Add your ISP "Cisco VPN Interface Ethernet" Template and add the following:

"NAT" as On

"NAT Type" as "Interface"

In your Service VPN aka VPN 1-511, 513-65530 "Cisco VPN" template, make sure you add an IPv4 Route with the following:

"Prefix" as 0.0.0.0/0 (Match All Traffic from Service VPN)

"Gateway" as VPN

"Enable VPN" as On

I hope this makes sense. Also, depends on how you're connected on your LAN/Service side, you should have your "Switchport" and "VPN Interface SVI" templates attached as well. Let me know if you need help with this.

**Remember to "mark as solution" if this worked for you**