05-31-2012 12:20 AM - edited 03-07-2019 06:59 AM
Dear All,
please i would appricate to help us to resloved following issue.
All the desired legitimate traffic between remote site and Data Center is operational without any issue using firewall becuase DMVPN router forwarding legitimate traffice to firewall.
However, if we want allow internet traffic from spoke1 machine via Data Center firewall (192.168.10.1) somehow we are unable to route it.
following are the IP addresses and default gatway which are using at remote site.
IP address :192.168.61.91
DG : 192.168.61.1
DNS : 213.42.20.20 ( Etisalat DNS for direct internet access via firewall 192.168.10.1)
follwoing are the latest configuration and attached diagram for your information:
DMVPN_HUB Router configuration:
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name 213.42.20.20
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!
!
!
!
interface Tunnel0
bandwidth 16384
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication 1p2@3s4s
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
ip policy route-map VPN-INTERNET
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface GigabitEthernet0/0
description Connected to AGI_DC_CS2 port gi2/42
ip address x.x.x.26 255.255.255.248
duplex full
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.10.3 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
router eigrp 1
redistribute static
network 10.0.0.0 0.0.0.255
network 192.168.10.3 0.0.0.0
network 192.168.0.0 0.0.255.255
no auto-summary
!
ip forward-protocol nd
no ip route static inter-vrf
ip route 0.0.0.0 0.0.0.0 83.111.201.25
ip route 172.17.0.0 255.255.0.0 192.168.10.1
ip route 172.31.0.0 255.255.0.0 192.168.10.1
ip route 192.168.2.0 255.255.255.0 192.168.10.1
ip route 192.168.5.0 255.255.255.0 192.168.10.1
ip route 192.168.32.0 255.255.255.0 192.168.10.1
ip route 192.168.33.0 255.255.255.0 192.168.10.1
ip http server
no ip http secure-server
!
ip flow-export version 5
ip flow-export destination 172.31.0.110 2048
!
ip dns server
!
access-list 10 permit 192.168.33.91
access-list 10 permit 192.168.33.90
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
route-map VPN-INTERNET permit 10
match ip address 100
set ip next-hop 192.168.10.1
!
!
snmp-server group readonly v3 auth match exact read readview
snmp-server view readview iso included
!
control-plane
!
SPOKE1 router configuration
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
!
aaa session-id common
ip cef
!
!
!
!
!
multilink bundle-name authenticated
crypto pki token default removal timeout 0
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
!
crypto ipsec profile vpnprof
set transform-set trans2
!
!
!
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.0
ip mtu 1400
ip nhrp authentication 1p2@3s4s
ip nhrp map 10.0.0.1 x.x.x.26
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 10.0.0.1
ip nhrp redirect
delay 1000
tunnel source FastEthernet0/0
tunnel destination x.x.x.26
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
ip address 192.168.1.201 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.61.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
redistribute static
network 10.0.0.0 0.0.0.255
network 192.168.61.0
auto-summary
!
ip route 83.111.201.26 255.255.255.255 192.168.1.1
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
09-26-2012 07:49 PM
hello:
i am having the same issue. i am speaking with my cisco SE
if i get a reposne before you do, i will post it
here is what he suggest first
First, disable split-horizon for EIGRP ("no ip split-horizon eigrp 90") - If this doesn't magically solve the problem, take a look at the following document: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml - If it still doesn't work, send us the output of the following debug commands: - Debug crypto ipsec - Debug crypto engine - Debug crypto isakmp
This is my current situation
from work i can connect to the hub and the spoke. The only addresses i can connect to the spoke with is it tunnel address, the local subnet and the loopback and no others. There are connected devices but no accessible from the HUB or the spoke
if i try to traceroute or ping a connected device from the SPOKE( src = subnet or LB) it fails. However a user connected to the spoke site can ping and traceroute the local subnet i/f or the spoke LB addr. One way connectivity? if traffic not leaving or is there no know return path ??
I need to run EIGRP so that the spokes can see the HUB devices and
potentially talk spoke to spoke
The GRE tunnels are up
EIGRP is passing updates; the routing tables look fine
i was testing to see if the spoke can get to google
it's ip address is used as i have no dns enabled
Google can be reached from the HUB, but not the spoke
all spoke traffic must use the tunnel and NOT the local WAN interface. ie. i do not want any Internet destined traffic to connect to the Internet directly. it needs to go to the HUB first
The HUB will forward all traffic it has not learned about from eigrp directly to the WAN interface (which goes to the Internet) . All learned traffic is either local or at one of the spokes.
cheers
09-26-2012 09:01 PM
here are configs that work for me
HUB
interface Tunnel0
description $FW_OUTSIDE$
bandwidth 20000
ip address a.b.2.100 255.255.255.0
no ip redirects
no ip unreachables
ip mtu 1400
ip pim sparse-mode
no ip split-horizon eigrp 100
ip flow ingress
ip nhrp authentication PROJECT-N
ip nhrp map multicast dynamic
ip nhrp map group PROJECT-pol service-policy output PROJECT-pol-parent
ip nhrp network-id 9911
ip nhrp holdtime 900
ip nhrp registration timeout 120
ip tcp adjust-mss 1360
load-interval 30
delay 100
tunnel source GigabitEthernet0/2/0
tunnel mode gre multipoint
tunnel key 1357248
tunnel protection ipsec profile xxx_Profile
router eigrp 100
network a.b.2.0 0.0.0.255 / the tunnel
network x.y.100.16 0.0.0.15 / the lan side
!
ip route 0.0.0.0 0.0.0.0
ip route x.y.0.0 255.0.0.0 Null0 /absorb all non used subnets from being advertised
=======================
Spoke
interface Tunnel0
bandwidth 20000
ip address a.b.2.111 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-mode
no ip split-horizon eigrp 100 / may need to remove this line
ip nhrp authentication PROJECT-N
ip nhrp map a.b.2.100
ip nhrp map multicast
ip nhrp map group PROJECT-pol service-policy output PROJECT-pol-parent
ip nhrp network-id 9911
ip nhrp holdtime 900
ip nhrp nhs a.b.2.100
ip nhrp registration no-unique
ip nhrp registration timeout 120
ip tcp adjust-mss 1360
load-interval 30
delay 100
if-state nhrp
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1357248
tunnel protection ipsec profile xxx_Profile
router eigrp 100
network a.b.2.0 0.0.0.255
network x.y.111.16 0.0.0.15
eigrp stub connected summary
no eigrp log-neighbor-changes
!
ip route 0.0.0.0 0.0.0.0
ip route x.y.0.0 255.0.0.0 Null0 /absorb all non used subnets from being advertised
09-26-2012 09:41 PM
https://supportforums.cisco.com/thread/2032270
look here also
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide