Solved: NAT for DMVPN Traffic to redirect to IPSec Site-to-Site VPN

thomas.busse · ‎08-17-2012

Hello,

is it possible to NAT traffic comming from a DMVPN Cloud, to process it to an IPSec Site-to-Site VPN peer from the DMVPN hub router ?

Lets assum, the LAN networks in the DMVPN are all using addresses from the space 10.101.X.X /24 and need to contact the remote host 212.88.155.234 and network 94.247.119.0 /24. The IPSec Site-to-Site VPN Tunnel from the Hub to the Peer is working fine, but requieres me to NAT all 10.101.X.X /24 networks to the official outside address of the Hub Router.

The NAT for the Looback Interface of the Hub works fine, but is it possible to NAT the traffic that comes from the LAN networks of the spokes as well? I have tried putting "ip nat inside" on the Tunnel1 Interface, but that did not work :-)

Below is my NAT configuration.

Greetings

Thomas

interface Tunnel1

ip address 172.16.0.1 255.255.255.0

no ip redirects

ip mtu 1400

no ip next-hop-self eigrp 10

ip nat inside

ip nhrp authentication INTE1001

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

ip virtual-reassembly in

ip tcp adjust-mss 1360

no ip split-horizon eigrp 10

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 1001

tunnel protection ipsec profile IPSEC_PROFILE

!

interface Loopback0

description *** LAN Simulation ***

ip address 10.101.0.1 255.255.255.255

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0

description *** Internet ***

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map vpn

!

ip nat inside source list NAT-IPSEC interface GigabitEthernet0/0 overload

!

ip access-list extended IPSEC-TRAFFIC

permit ip host <<removed WAN IP Hub>> 94.247.119.0 0.0.0.255

permit ip host <<removed WAN IP Hub>> host 212.88.155.234

ip access-list extended NAT-IPSEC

permit ip 10.101.0.0 0.0.255.255 host 212.88.155.234

permit ip 10.101.0.0 0.0.255.255 94.247.119.0 0.0.0.255

deny ip any any

!

Here is a test from the Loopback Interface of the Hub router:

Zentrale#ping ip 212.88.155.234 source lo 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 212.88.155.234, timeout is 2 seconds:

Packet sent with a source address of 10.101.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Zentrale#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

icmp 92.67.80.237:80 10.101.0.1:80 212.88.155.234:80 212.88.155.234:80

Karsten Iwen · ‎08-20-2012

Your configuration is what you need to make that work. The problem should be somewhere else. Do you route the traffic for 94.247.119.0/24 and 212.88.155.234 from the spokes through the DMVPN-tunnel?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

thomas.busse · ‎08-19-2012

Hello,

has nobody an idea ? Is this even possible or how should I realize this?

Thanks.

Thomas

Karsten Iwen · ‎08-20-2012

Your configuration is what you need to make that work. The problem should be somewhere else. Do you route the traffic for 94.247.119.0/24 and 212.88.155.234 from the spokes through the DMVPN-tunnel?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

thomas.busse · ‎08-20-2012

Hello Karsten,

you were right, I had to add static routes on the spokes to the tunnel interface of the hub router, then every thing worked fine.

Thank you.

Greetings

Thomas