06-17-2020 09:13 PM
Hi,
I am trying to configure DIA policy and it is not working. It works fine on vEdge devices but not on cedge. Below is my policy configuration ..
policy
data-policy _corpvpn_NEW-DIA
vpn-list corpvpn
sequence 1
match
source-data-prefix-list cEdge-Sites-VPN-10
destination-data-prefix-list vEdge-Sites-VPN-10
!
action accept
!
!
sequence 11
match
source-data-prefix-list vEdge-Sites-VPN-10
destination-data-prefix-list cEdge-Sites-VPN-10
!
action accept
!
!
sequence 21
match
source-data-prefix-list cEdge-Sites-VPN-10
!
action accept
nat use-vpn 0
set
local-tloc-list
color biz-internet
encap ipsec
!
!
!
sequence 31
match
source-data-prefix-list vEdge-Sites-VPN-10
!
action accept
nat use-vpn 0
set
local-tloc-list
color biz-internet
encap ipsec
!
!
!
default-action accept
!
control-policy HubNSpoke
sequence 1
match tloc
tloc-list DC-TLOCS
!
action accept
!
!
sequence 11
match route
site-list AllBranch-Spoke
prefix-list _AnyIpv4PrefixList
!
action accept
set
tloc-list DC-TLOCS
!
!
!
sequence 21
match tloc
tloc-list TLOC_BRANCH
!
action reject
!
!
default-action accept
!
lists
data-prefix-list cEdge-Sites-VPN-10
ip-prefix 192.168.0.0/24
ip-prefix 192.168.101.0/24
ip-prefix 192.168.104.0/24
ip-prefix 192.168.105.0/24
!
data-prefix-list vEdge-Sites-VPN-10
ip-prefix 192.168.102.0/24
ip-prefix 192.168.103.0/24
!
site-list AllBranch-Spoke
site-id 100-104
!
site-list DC-Hub-MMK
site-id 105
!
tloc-list DC-TLOCS
tloc 10.10.10.105 color biz-internet encap ipsec preference 100
!
tloc-list TLOC_BRANCH
tloc 10.10.10.103 color biz-internet encap ipsec
tloc 10.10.10.102 color biz-internet encap ipsec
tloc 10.10.10.104 color biz-internet encap ipsec
tloc 10.10.10.101 color biz-internet encap ipsec
tloc 10.10.10.100 color biz-internet encap ipsec
!
vpn-list corpvpn
vpn 10
!
prefix-list _AnyIpv4PrefixList
ip-prefix 0.0.0.0/0 le 32
!
!
!
apply-policy
site-list AllBranch-Spoke
data-policy _corpvpn_NEW-DIA from-service
control-policy HubNSpoke out
!
site-list DC-Hub-MMK
data-policy _corpvpn_NEW-DIA from-service
!
!
06-18-2020 12:25 AM - edited 06-18-2020 12:34 AM
Hello,
Yeah, the "nat use-vpn 0" didn't work for me when I setup my cEdges(4331/4351). I ended up working with an engineer and they said the following is the preferred way of doing DIA for cEdges, at least at the time it was and no viptela engineer has said anything about it when they work with me on cases.
1. VPN0 Transport "VPN" Template - Add IPv4 Routes for each circuits you have at the site .This will add the following cli config: "ip route 0.0.0.0 0.0.0.0 x.x.x.x" (See DIA1 and DIA2 pics)
2. VPN1 Service "VPN" Template - Add IPv4 Routes for each circuits you have at the site. This will add the following cli config: "ip nat route vrf 1 0.0.0.0 0.0.0.0 global" (See DIA3 pic)
3. VPN1 Service "VPN Interface Ethernet" Template - Toggle "ON" for "NAT" for each circuit interface you create at the Branches.This will add the following cli config: "ip nat inside source list nat-dia-vpn-hop-access-list interface GigabitEthernet1/0/0 overload" and "ip nat outside" on the interfaces
I believe that's all you need for DIA. Let me know how it goes and if you need anything else.
06-18-2020 06:13 AM
Hi Gilbert,
Thank you for your reply. Yes this is one of the solution using Template to get DIA work as per attached cisco document. Tac engineer also suggested me the same. I am wondering why this is not mentioned in the document? Same policy works for vedge device. See attached.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide