Solved: NAT WITH FLEXVPN

Mehmet-Ali Topcu · ‎10-25-2013

HI,

can please someone tell me how to NAT with flexvpn ?

I have a HUB to Spoke and Spoke to Spoke configuration with virtual-templates.

when I configure NAT and do a traceroute to google ip address the first hop is the HUB router.

but this should go directly to the internet.

Thanks in advance,

Topcu, M

Marcin Latosiewicz · ‎10-25-2013

Have a look at the difference between route set and route accept.

You're forcing default routes... bad idea unless controlled :-)

Start by removing the "any" statment from access-lists using route set.

View solution in original post

Marcin Latosiewicz · ‎10-25-2013

Maybe then the problem is not with NAT but with routing?

If you have NAT inside/enable on LAN inetrafce and NAT outside/enable on WAN interface and routing for Google is poiting out the WAN interface (and you have matching NAT/PAT rule) you should go out directly and go through NAT.

Mehmet-Ali Topcu · ‎10-25-2013

Hi,

Let me show you my config. at this moment all works fine becuase tunnel 0 is shutdown.

when I enable tunnel 0 all www traffic is piointing to the hub.

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPOKE

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authorization network Spoke local

!

aaa session-id common

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

ip dhcp pool DHCP-POOL

network 10.68.1.0 255.255.255.0

default-router 10.68.1.1

dns-server 8.8.8.8

lease 8

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

username xxxxxx privilege 15 password 0 xxxxx

!

redundancy

!

crypto ikev2 authorization policy SPOKE.policy

route set interface

route set access-list 6

!

crypto ikev2 proposal SPOKE.pro

encryption aes-cbc-256

integrity sha256

group 15

!

crypto ikev2 policy SPOKE.PROpolicy

proposal SPOKE.pro

!

crypto ikev2 keyring SPOKE.keyring

peer HUB

address 0.0.0.0 0.0.0.0

pre-shared-key local xxxxx

pre-shared-key remote xxxxx

!

crypto ikev2 profile SPOKE.prof

match identity remote address 0.0.0.0

identity local address 217.112.xxx.xxx

authentication remote pre-share

authentication local pre-share

keyring local SPOKE.keyring

aaa authorization group psk list Spoke SPOKE.policy

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand

crypto ikev2 client flexvpn Flex_client

peer 1 217.112.xxx.xxx

client connect Tunnel0

!

crypto ipsec transform-set WilNet-ESP esp-gcm

mode transport

!

crypto ipsec profile SPOKE.ipsprof

set transform-set WilNet-ESP

set ikev2-profile SPOKE.prof

!

interface Loopback1

ip address 10.68.255.11 255.255.255.255

!

interface Tunnel0

ip address 10.68.254.11 255.255.255.0

ip mtu 1400

ip nhrp network-id 2

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

shutdown

tunnel source GigabitEthernet0/0

tunnel destination dynamic

tunnel path-mtu-discovery

tunnel protection ipsec profile SPOKE.ipsprof

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 217.112.xxx.xxx 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.68.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Tunnel0

ip mtu 1400

ip nhrp network-id 2

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel protection ipsec profile SPOKE.ipsprof

!

router eigrp 11

network 10.0.0.0

passive-interface default

no passive-interface Tunnel0

eigrp stub connected

!

ip default-gateway 217.112.xxx.xxx

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip dns server

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

access-list 1 remark Nat traffic to Internet

access-list 1 permit 10.68.1.0 0.0.0.255

access-list 6 permit 10.0.0.0 0.255.255.255

access-list 6 permit any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

hope you can tell my what I'm doing wrong.

Thanks in advance,

Marcin Latosiewicz · ‎10-25-2013

Well, at a glance, it looks OK.

So what are the prefixes recived from hub?

M.

Mehmet-Ali Topcu · ‎10-25-2013

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0

10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks

C 10.68.1.0/24 is directly connected, GigabitEthernet0/1

L 10.68.1.1/32 is directly connected, GigabitEthernet0/1

C 10.68.254.0/24 is directly connected, Tunnel0

L 10.68.254.11/32 is directly connected, Tunnel0

C 10.68.255.11/32 is directly connected, Loopback1

217.112.xxx.0/24 is variably subnetted, 2 subnets, 2 masks

C 217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0

L 217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0

Marcin Latosiewicz · ‎10-25-2013

So the hub does not insert any EIGRP routes?

Quick question:

access-list 6 permit 10.0.0.0 0.255.255.255

access-list 6 permit any

What the point of this?

Is 10.0.0.0/24 a local subnet, doesn't look to be.

Why do you need that "any".

Mehmet-Ali Topcu · ‎10-25-2013

I have enabled the tunnels, I'm getting the eigrp routes.

as far as I know if you don't set permit any it will block all other traffic by his self.

but i don't understand why I don't have last gateway resort and why 0.0.0.0 is connected wiht virtual access1.

I think that this is causing the problem. but i'm not sure

S* 0.0.0.0/0 is directly connected, Virtual-Access1

is directly connected, Tunnel0

is directly connected, GigabitEthernet0/0

10.0.0.0/8 is variably subnetted, 9 subnets, 3 masks

S 10.0.0.0/8 is directly connected, Virtual-Access1

C 10.68.1.0/24 is directly connected, GigabitEthernet0/1

L 10.68.1.1/32 is directly connected, GigabitEthernet0/1

H 10.68.2.0/24 [250/1] via 10.68.254.12, 00:00:15, Virtual-Access1

C 10.68.254.0/24 is directly connected, Tunnel0

L 10.68.254.11/32 is directly connected, Tunnel0

S % 10.68.254.12/32 is directly connected, Virtual-Access1

C 10.68.255.11/32 is directly connected, Loopback1

217.112.xxx.xxx/24 is variably subnetted, 2 subnets, 2 masks

C 217.112.xxx.xxx/27 is directly connected, GigabitEthernet0/0

L 217.112.xxx.xxx/32 is directly connected, GigabitEthernet0/0

Marcin Latosiewicz · ‎10-25-2013

Have a look at the difference between route set and route accept.

You're forcing default routes... bad idea unless controlled :-)

Start by removing the "any" statment from access-lists using route set.

Mehmet-Ali Topcu · ‎10-25-2013

Hi,

Thanks for your help,

indead, permit any was causing the problem.

remove them. restarted all other routers and all works fine.

Thanks for your help.