10-25-2013 01:28 AM - edited 02-21-2020 07:16 PM
HI,
can please someone tell me how to NAT with flexvpn ?
I have a HUB to Spoke and Spoke to Spoke configuration with virtual-templates.
when I configure NAT and do a traceroute to google ip address the first hop is the HUB router.
but this should go directly to the internet.
Thanks in advance,
Topcu, M
Solved! Go to Solution.
10-25-2013 06:20 AM
Have a look at the difference between route set and route accept.
You're forcing default routes... bad idea unless controlled :-)
Start by removing the "any" statment from access-lists using route set.
10-25-2013 04:02 AM
Maybe then the problem is not with NAT but with routing?
If you have NAT inside/enable on LAN inetrafce and NAT outside/enable on WAN interface and routing for Google is poiting out the WAN interface (and you have matching NAT/PAT rule) you should go out directly and go through NAT.
10-25-2013 05:11 AM
Hi,
Let me show you my config. at this moment all works fine becuase tunnel 0 is shutdown.
when I enable tunnel 0 all www traffic is piointing to the hub.
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SPOKE
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authorization network Spoke local
!
!
!
!
!
aaa session-id common
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
!
!
!
ip dhcp pool DHCP-POOL
network 10.68.1.0 255.255.255.0
default-router 10.68.1.1
dns-server 8.8.8.8
lease 8
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username xxxxxx privilege 15 password 0 xxxxx
!
redundancy
!
crypto ikev2 authorization policy SPOKE.policy
route set interface
route set access-list 6
!
crypto ikev2 proposal SPOKE.pro
encryption aes-cbc-256
integrity sha256
group 15
!
crypto ikev2 policy SPOKE.PROpolicy
proposal SPOKE.pro
!
crypto ikev2 keyring SPOKE.keyring
peer HUB
address 0.0.0.0 0.0.0.0
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
!
!
!
crypto ikev2 profile SPOKE.prof
match identity remote address 0.0.0.0
identity local address 217.112.xxx.xxx
authentication remote pre-share
authentication local pre-share
keyring local SPOKE.keyring
aaa authorization group psk list Spoke SPOKE.policy
virtual-template 1
!
crypto ikev2 dpd 30 5 on-demand
crypto ikev2 client flexvpn Flex_client
peer 1 217.112.xxx.xxx
client connect Tunnel0
!
!
!
!
!
!
crypto ipsec transform-set WilNet-ESP esp-gcm
mode transport
!
crypto ipsec profile SPOKE.ipsprof
set transform-set WilNet-ESP
set ikev2-profile SPOKE.prof
!
!
!
!
!
!
!
interface Loopback1
ip address 10.68.255.11 255.255.255.255
!
interface Tunnel0
ip address 10.68.254.11 255.255.255.0
ip mtu 1400
ip nhrp network-id 2
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
shutdown
tunnel source GigabitEthernet0/0
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel protection ipsec profile SPOKE.ipsprof
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 217.112.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.68.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Tunnel0
ip mtu 1400
ip nhrp network-id 2
ip nhrp shortcut virtual-template 1
ip nhrp redirect
ip tcp adjust-mss 1360
tunnel path-mtu-discovery
tunnel protection ipsec profile SPOKE.ipsprof
!
!
router eigrp 11
network 10.0.0.0
passive-interface default
no passive-interface Tunnel0
eigrp stub connected
!
ip default-gateway 217.112.xxx.xxx
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 remark Nat traffic to Internet
access-list 1 permit 10.68.1.0 0.0.0.255
access-list 6 permit 10.0.0.0 0.255.255.255
access-list 6 permit any
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
hope you can tell my what I'm doing wrong.
Thanks in advance,
10-25-2013 05:18 AM
Well, at a glance, it looks OK.
So what are the prefixes recived from hub?
M.
10-25-2013 05:22 AM
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.68.1.0/24 is directly connected, GigabitEthernet0/1
L 10.68.1.1/32 is directly connected, GigabitEthernet0/1
C 10.68.254.0/24 is directly connected, Tunnel0
L 10.68.254.11/32 is directly connected, Tunnel0
C 10.68.255.11/32 is directly connected, Loopback1
217.112.xxx.0/24 is variably subnetted, 2 subnets, 2 masks
C 217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0
L 217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0
10-25-2013 05:29 AM
So the hub does not insert any EIGRP routes?
Quick question:
access-list 6 permit 10.0.0.0 0.255.255.255
access-list 6 permit any
What the point of this?
Is 10.0.0.0/24 a local subnet, doesn't look to be.
Why do you need that "any".
10-25-2013 05:42 AM
I have enabled the tunnels, I'm getting the eigrp routes.
as far as I know if you don't set permit any it will block all other traffic by his self.
but i don't understand why I don't have last gateway resort and why 0.0.0.0 is connected wiht virtual access1.
I think that this is causing the problem. but i'm not sure
S* 0.0.0.0/0 is directly connected, Virtual-Access1
is directly connected, Tunnel0
is directly connected, GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks
S 10.0.0.0/8 is directly connected, Virtual-Access1
C 10.68.1.0/24 is directly connected, GigabitEthernet0/1
L 10.68.1.1/32 is directly connected, GigabitEthernet0/1
H 10.68.2.0/24 [250/1] via 10.68.254.12, 00:00:15, Virtual-Access1
C 10.68.254.0/24 is directly connected, Tunnel0
L 10.68.254.11/32 is directly connected, Tunnel0
S % 10.68.254.12/32 is directly connected, Virtual-Access1
C 10.68.255.11/32 is directly connected, Loopback1
217.112.xxx.xxx/24 is variably subnetted, 2 subnets, 2 masks
C 217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0
L 217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0
10-25-2013 06:20 AM
Have a look at the difference between route set and route accept.
You're forcing default routes... bad idea unless controlled :-)
Start by removing the "any" statment from access-lists using route set.
10-25-2013 06:48 AM
Hi,
Thanks for your help,
indead, permit any was causing the problem.
remove them. restarted all other routers and all works fine.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide