Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
0
Replies

IOS with DMVPN and NAT/PAT

Jeff Van Houten
Level 5
Level 5

‎11-03-2016 11:46 AM - edited ‎02-21-2020 09:02 PM

C2911 running 15.4(3)M6a

Router has a DMVPN connection to a hub and NAT overload (PAT) using a route-map.  Problem is that certain packets are showing in the log as being denied by the ACL used by the route-map.  Traffic over the DMVPN and general Internet access are good.  Configuration as follows:

interface Tunnel0
bandwidth 10000
ip address 172.29.99.22 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication <snip>
ip nhrp map 172.29.99.1 <snip>
ip nhrp map multicast <snip>
ip nhrp network-id <snip>
ip nhrp holdtime 600
ip nhrp nhs 172.29.99.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key <snip>
tunnel protection ipsec profile <snip>

interface GigabitEthernet0/0
description TO CHARTER CABLE MODEM
ip address dhcp
ip access-group INTERNET-IN in
ip nat outside
ip inspect BR-FW out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled

ip nat inside source route-map cc-term interface GigabitEthernet0/0 overload

route-map cc-term permit 10
match ip address 195
set ip next-hop dynamic dhcp

access-list 195 permit ip host 10.22.40.250 any
access-list 195 permit ip host 10.22.50.150 any
access-list 195 deny ip any any log

Log shows up as:

%SEC-6-IPACCESSLOGNP: list 195 denied 50 <GI0/0 Address> -> <HUB DMVPN EXTERNAL ADDRESS>, 12 packets

%SEC-6-IPACCESSLOGP: list 195 denied udp <GI0/0 Address>(0) -> <HUB DMVPN EXTERNAL ADDRESS>(0), 16 packets

First log is ESP (protocol 50) and the second log is, I believe, ISAKMP (UDP 500).  These logs show up in about 4 minute intervals.

Diagnostic:

#sh route-map
 route-map cc-term, permit, sequence 10
Match clauses:
ip address (access-lists): 195
Set clauses:
ip next-hop dynamic dhcp - current value is <GI0/0 Next-Hop>
Policy routing matches: 0 packets, 0 bytes

#sh ip nat transl
Pro Inside globalInside local Outside local Outside global
tcp <GI0/0 Address>:36680 10.22.50.150:36680 204.141.57.100:443 204.141.57.100:443
tcp <GI0/0 Address>:36681 10.22.50.150:36681 204.141.57.101:443 204.141.57.101:443
tcp <GI0/0 Address>:36682 10.22.50.150:36682 12.149.218.73:443 12.149.218.73:443

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents