08-17-2012 04:31 AM - edited 02-21-2020 06:16 PM
Hello,
is it possible to NAT traffic comming from a DMVPN Cloud, to process it to an IPSec Site-to-Site VPN peer from the DMVPN hub router ?
Lets assum, the LAN networks in the DMVPN are all using addresses from the space 10.101.X.X /24 and need to contact the remote host 212.88.155.234 and network 94.247.119.0 /24. The IPSec Site-to-Site VPN Tunnel from the Hub to the Peer is working fine, but requieres me to NAT all 10.101.X.X /24 networks to the official outside address of the Hub Router.
The NAT for the Looback Interface of the Hub works fine, but is it possible to NAT the traffic that comes from the LAN networks of the spokes as well? I have tried putting "ip nat inside" on the Tunnel1 Interface, but that did not work :-)
Below is my NAT configuration.
Greetings
Thomas
interface Tunnel1
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 10
ip nat inside
ip nhrp authentication INTE1001
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip virtual-reassembly in
ip tcp adjust-mss 1360
no ip split-horizon eigrp 10
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1001
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Loopback0
description *** LAN Simulation ***
ip address 10.101.0.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description *** Internet ***
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
ip nat inside source list NAT-IPSEC interface GigabitEthernet0/0 overload
!
ip access-list extended IPSEC-TRAFFIC
permit ip host <<removed WAN IP Hub>> 94.247.119.0 0.0.0.255
permit ip host <<removed WAN IP Hub>> host 212.88.155.234
ip access-list extended NAT-IPSEC
permit ip 10.101.0.0 0.0.255.255 host 212.88.155.234
permit ip 10.101.0.0 0.0.255.255 94.247.119.0 0.0.0.255
deny ip any any
!
Here is a test from the Loopback Interface of the Hub router:
Zentrale#ping ip 212.88.155.234 source lo 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.88.155.234, timeout is 2 seconds:
Packet sent with a source address of 10.101.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Zentrale#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 92.67.80.237:80 10.101.0.1:80 212.88.155.234:80 212.88.155.234:80
Solved! Go to Solution.
08-20-2012 12:15 AM
Your configuration is what you need to make that work. The problem should be somewhere else. Do you route the traffic for 94.247.119.0/24 and 212.88.155.234 from the spokes through the DMVPN-tunnel?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-19-2012 11:50 PM
Hello,
has nobody an idea ? Is this even possible or how should I realize this?
Thanks.
Thomas
08-20-2012 12:15 AM
Your configuration is what you need to make that work. The problem should be somewhere else. Do you route the traffic for 94.247.119.0/24 and 212.88.155.234 from the spokes through the DMVPN-tunnel?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-20-2012 12:28 AM
Hello Karsten,
you were right, I had to add static routes on the spokes to the tunnel interface of the hub router, then every thing worked fine.
Thank you.
Greetings
Thomas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide