02-03-2016 12:02 PM - edited 03-08-2019 04:27 AM
Hello everyone, second attempt since my first post didn't seem to work.
I have a strange problem I can't seem to get my head around.. I have a network with 3 locations connected with tunnels, and routing with EIGRP between the three. Everything works inside the network without issue. At SITE20, I have an SSL webserver hosting an application for remote users. "ip nat inside source static" works at SITE20. What I am trying to do is load balance (with DNS) requests to a url between SITE10, and SITE30 forwarding those requests to SITE20 over the tunnels. I am already forwarding https at SITE20 (which works fine), hence using 10 and 30 to handle inbound requests.
I have an additional tunnel between 20 and 30, on occasion SITE10 goes down and i loose nhrp, so effectivly I have no connections to any site. I did increase the holdtime on sites 20 and 30, perhaps that will help.
Here are my configs from each router.
SITE10
interface Tunnel0
description mGRE - DMVPN Tunnel
bandwidth 10000
bandwidth inherit
ip address 10.1.1.1 255.255.255.240
no ip redirects
ip nbar protocol-discovery
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp network-id 1
no ip split-horizon eigrp 1
no ip mroute-cache
qos pre-classify
tunnel source 111.111.111.111
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
description WAN
mac-address 0014.6987.f057
ip address dhcp
ip access-group BLOCK_EXT in
ip nat outside
ip virtual-reassembly max-reassemblies 64
duplex auto
speed auto
!
interface FastEthernet0/1
description "LAN"
ip address 10.10.10.1 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
ip nat inside source static tcp 10.20.30.150 443 interface FastEthernet0/0 443
-------------
10_R1841#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
Known via "eigrp 1", distance 170, metric 13058816, type external
Redistributing via eigrp 1, eigrp 2
Advertised by eigrp 2
Last update from 10.1.1.2 on Tunnel0, 2d12h ago
Routing Descriptor Blocks:
* 10.1.1.2, from 10.1.1.2, 2d12h ago, via Tunnel0
Route metric is 13058816, traffic share count is 1
Total delay is 500110 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1396 bytes
Loading 1/255, Hops 2
-------------
SITE20
interface Tunnel0
description R2 mGRE - DMVPN Tunnel
bandwidth inherit
ip address 10.1.1.2 255.255.255.240
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp map 10.1.1.1 111.111.111.111
ip nhrp map multicast 111.111.111.111
ip nhrp network-id 1
ip nhrp holdtime 21600
ip nhrp nhs 10.1.1.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile protect-gre
!
interface Tunnel1
description SECCONDARY VPN - SITE30
bandwidth 100000
bandwidth inherit
ip address 10.2.1.2 255.255.255.240
no ip redirects
tunnel source 222.222.222.222
tunnel destination 333.333.333.333
tunnel path-mtu-discovery
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip mtu 1472
ip flow egress
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 10.20.10.1 255.255.255.252
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
-----
20_R1821#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
Known via "eigrp 2", distance 90, metric 28416, type internal
Redistributing via nhrp, eigrp 1, eigrp 2
Advertised by eigrp 1
Last update from 10.20.10.2 on FastEthernet0/1, 7w0d ago
Routing Descriptor Blocks:
* 10.20.10.2, from 10.20.10.2, 7w0d ago, via FastEthernet0/1
Route metric is 28416, traffic share count is 1
Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
----
SITE30
interface Tunnel0
description R3 mGRE - DMVPN Tunnel
bandwidth 5000
bandwidth inherit
bandwidth receive 100000
ip address 10.1.1.3 255.255.255.240
no ip redirects
ip nhrp authentication firewall
ip nhrp map multicast dynamic
ip nhrp map 10.1.1.1 111.111.111.111
ip nhrp map multicast 111.111.111.111
ip nhrp network-id 1
ip nhrp holdtime 21600
ip nhrp nhs 10.1.1.1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel path-mtu-discovery
tunnel protection ipsec profile protect-gre
!
interface Tunnel1
description SECCONDARY VPN - SITE20
bandwidth 5000
bandwidth inherit
ip address 10.2.1.3 255.255.255.240
no ip redirects
tunnel source 333.333.333.333
tunnel destination 222.222.222.222
tunnel path-mtu-discovery
!
interface FastEthernet0/0
description LAN
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.10
description default-gateway VLAN
encapsulation dot1Q 10
ip address 10.30.10.1 255.255.255.252
ip accounting output-packets
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.99
description MGMT VLAN
encapsulation dot1Q 99
ip address 10.30.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
description WAN$ETH-WAN$
mac-address 0014.bff9.c654
ip dhcp client lease 7 0 0
ip address dhcp
ip access-group BLOCK_SMTP_IN in
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly max-reassemblies 64
duplex auto
speed auto
!
ip nat inside source static udp 10.20.30.150 443 interface FastEthernet0/1 443
-------
30_R1841#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
Known via "eigrp 1", distance 170, metric 13314816, type external
Redistributing via eigrp 2, eigrp 1
Advertised by eigrp 2
Last update from 10.2.1.2 on Tunnel1, 21:37:53 ago
Routing Descriptor Blocks:
* 10.2.1.2, from 10.2.1.2, 21:37:53 ago, via Tunnel1
Route metric is 13314816, traffic share count is 1
Total delay is 500110 microseconds, minimum bandwidth is 5000 Kbit
Reliability 255/255, minimum MTU 1476 bytes
Loading 1/255, Hops 2
30_R1841#
---------
Thank you for any assistance, I will also take any suggestions on how to improve my config should you see anything I've done that's not correct.
02-04-2016 01:00 AM
Hello, dennis.lloyd.
At your case I would try to add NAT at the SITE 20 at the tunnel interfaces with this logic:
tunnel0 and tunnel1 should be ip nat outside (because you are alsready has a inside LAN interface). After this you need add 2 lines with "ip ant outside ..." for each tunnel interface. Also I would use this NAT with route-map for only https traffic to this server.
What is logical side of this solution: You has right commands at the SITE 10 and SITE 30. But response traffic goes out directly from SITE 20 (you can check it by "sh ip nat translations" at the SITE 10 and SITE 30). So you need to change src address of the packets (taht comes from WAN) by NAT with address of tunnel interface.
Sorry that I can't show you commands because I don't have access to the lab enveroument right now.
Best Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide