Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
1
Replies

DMVPN and NAT Issue.

Amjad Hashim
Level 1
Level 1

‎09-10-2014 02:58 AM - edited ‎02-21-2020 07:49 PM

 

Hi All,

I have a very simple scenario here for IPSEC over GRE but unfortunately things are not working as expected. Let me explain the connectivity.

 

           DC-RTR----------FW1----------Public Network----------FW2-----Client-RTR

 

It is as simple as this one, both DC and client routers are behind firewalls. I have done the routers config on both routers and both are identical.

 

At Data Center i am using Static (identity) nat on firewall for DC-RTR (10.27.59.243) address. There are two routers at client site and they are configured with 192.168.112.210 and 211 respectively. I don't have access to Client Firewall and the engineer said he has configured the static translation from 192 addresses to 10.128.14.75 and 76 respectively.

 

When i check the ISAKMP sa i can see the following.

192.168.112.210 10.27.59.243    MM_NO_STATE          0 ACTIVE
192.168.112.210 10.27.59.243    MM_NO_STATE          0 ACTIVE (deleted)
192.168.112.211 10.27.59.243    MM_NO_STATE          0 ACTIVE
192.168.112.211 10.27.59.243    MM_NO_STATE          0 ACTIVE (deleted)
10.27.59.243    10.128.14.76    MM_NO_STATE      10050 ACTIVE (deleted)
10.27.59.243    10.128.14.75    QM_IDLE          10051 ACTIVE

If i use the show ip nhrp i get the following

192.168.213.21/32 via 192.168.213.21
   Tunnel0 created 17:15:14, expire 00:05:49
   Type: dynamic, Flags: registered used 
   NBMA address: 192.168.112.210 
192.168.213.22/32 via 192.168.213.22
   Tunnel0 created 17:15:52, expire 00:05:52
   Type: dynamic, Flags: registered used 
   NBMA address: 192.168.112.211 

IP addresses in red are the real IPs configured on router's interface and are supposed to get NATTed behind 10.128.14.75 and 76 respetively.but i don't see it happening.

UDP/4500 is allowed on both firewalls for NAT-T. The only this on client FW is that it is running 9.1 IOS and we are running 8.2.

I am not sure if it is client FW which is doing the trick.

Any help will be really appreciated.

 

Regards,

 

Amjad Hashim.

 

 

 

Labels:
0 Helpful
1 Reply 1

Amjad Hashim
Level 1
Level 1

‎09-11-2014 09:29 AM

 

I have also noticed that on HUB router i am seeing NHRP registration messages with private IP addresses.

ep 11 16:26:27.211: NHRP: Receive Registration Request via Tunnel0 vrf 0, packet size: 107
*Sep 11 16:26:27.211:  (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
*Sep 11 16:26:27.211:      shtl: 4(NSAP), sstl: 0(NSAP)
*Sep 11 16:26:27.211:      pktsz: 107 extoff: 52
*Sep 11 16:26:27.211:  (M) flags: "unique nat ", reqid: 67754 
*Sep 11 16:26:27.211:      src NBMA: 192.168.112.211
*Sep 11 16:26:27.211:      src protocol: 192.168.213.22, dst protocol: 192.168.213.1
*Sep 11 16:26:27.211:  (C-1) code: no error(0)
*Sep 11 16:26:27.211:        prefix: 32, mtu: 17854, hd_time: 360
*Sep 11 16:26:27.211:        addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 0
*Sep 11 16:26:27.211: NHRP: Tunnel0: Cache update for target 192.168.213.22/32 next-hop 192.168.213.22
*Sep 11 16:26:27.211:            192.168.112.211
*Sep 11 16:26:27.211: NHRP: Updating our cache with NBMA: 10.27.59.243, NBMA_ALT: 10.27.59.243
*Sep 11 16:26:27.211: NHRP: Setting 'used' flag on cache entry with nhop: 192.168.213.22
*Sep 11 16:26:27.211: NHRP: NHRP successfully mapped '192.168.213.22' to NBMA 192.168.112.211

 

Where as it is suppose to map it to 10.128.14.76 which is the translated address on Firewall.

 

0 Helpful
Customers Also Viewed These Support Documents