Enable Split Tunnel

rodger rau · ‎01-09-2018

Cisco 4000 series router. All traffic is going over DMVPN tunnels back through our main data center. Would like to route Internet traffic straight out the Internet interface and corporate destined traffic over the tunnels. I lose access to the site with the below configuration. Am I missing something?

interface GigabitEthernet0/0/0.52 (inside interface)

ip address 192.168.52.1 255.255.255.0
ip nat inside
ip virtual-reassembly

interface GigabitEthernet0/0/1 (outside interface)

ip address x.x.x.x (ISP IP)

ip nat outside
ip virtual-reassembly

ip nat pool internet x.x.x.x (ISP IP) x.x.x.x (ISP IP) netmask 255.255.255.252
ip nat inside source list internet pool internet overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP gateway ip)

ip access-list extended internet
permit ip 192.168.52.0 0.0.0.255 any
permit ip 192.168.53.0 0.0.0.255 any

Georg Pauwen · ‎01-09-2018

Hello,

you need to exclude the traffic that goes to the other side over the tunnel from your NAT. What is the IP address space of the other side(s) ?

rodger rau · ‎01-09-2018

10.0.0.0/8

192.168.0.0/16

rodger rau · ‎01-09-2018

I'm running IOS-XE and apparently you cannot use a NAT POOL for only 1 IP address.

Restrictions section:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-addr-consv.html#reference_255FB71880424C21A193DF9BC9B2F957

rodger rau · ‎01-10-2018

still not working.. the router doesnt drop.. but its not taking the correct path. traceroute to google still goes over DMVPN tunnel. My config sanitized

interface GigabitEthernet0/0/0.52 (inside)

ip nat inside
ip virtual-reassembly

interface GigabitEthernet0/0/1 (outside)

ip nat outside
ip virtual-reassembly

ip nat inside source list internet pool internet overload

ip access-list extended internet
permit ip 192.168.52.0 0.0.0.255 any
permit ip 192.168.53.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 (ISP IP)

Georg Pauwen · ‎01-10-2018

I do not see an access list for the DMVPN traffic. Post the full configuration...

rodger rau · ‎01-10-2018

Here ya go.. attached config does NOT have the split tunnel config applied that I posted above.

Georg Pauwen · ‎01-10-2018

Hello,

config looks ok as far as I can tell. Can you post the output of 'show ip route' ?

rodger rau · ‎01-10-2018

attached..without the split tunnel config changes

Georg Pauwen · ‎01-11-2018

Hello,

as far as I can tell, the problem is with the default route. You have configured:

ip route vrf DMVPN 0.0.0.0 0.0.0.0 x.x.x.x

What is the output of:

ping vrf DMVPN 8.8.8.8

rodger rau · ‎01-11-2018

cant ping it.. however, we are blocking ping to Internet

rodger rau · ‎01-11-2018

Should I just have the one default route? I have both configured when i have split tunnel configured.
ip route 0.0.0.0 0.0.0.0 (ISP GW IP)

remove(?):
ip route vrf DMVPN 0.0.0.0 0.0.0.0 x.x.x.x

Georg Pauwen · ‎01-11-2018

Hello,

the default route you have comes from an external source, I cannot figure out where it is originating. Are you doing some sort of redistribution ?

D*EX 0.0.0.0/0 [170/26880512] via 10.100.251.1, 02:24:55, Tunnel2

Assuming the configuration you posted is from one of the spokes, can you also post the hub configuration ?

rodger rau · ‎01-11-2018

attached

Georg Pauwen · ‎01-11-2018

Hello,

great, thanks. I need to lab this, will get back with you...