Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
0
Helpful
5
Replies

VLAN behind DMVPN cannot get to Internet

Go to solution
Mike Hogenauer
Level 1
Level 1

‎11-12-2014 02:14 PM

I have a single Spoke (for now) that I’m testing with, I’m running Phase 2 DMVPN and I have two tunnels built on the Spoke router. Tunnel 10 goes to DC1 and Tunnel 20 goes to DC2.

The Spoke router is sitting behind a normal SoHo Linksys routers and the outside interface Gig0 – is set for IP address dhcp. DC1 -- > tunnel prefix is 10.16.1.0/23 DC2 tunnel prefix is 10.8.1.0/23.

 

The spoke router is a Cisco 892 – the outside interface (tunnel source) is Gig0. The inside interface is a VLAN 1 which has 8 FE ports. If I source pings to 8.8.8.8 for example from the outside interface traffic takes the default route – through the SoHo router. If I source the traffic from the VLAN 1 interface – it also takes the same route – the default route. If I connect a PC behind the router and trace to 8.8.8.8, first Hop is the VLAN interface and then all traffic is dropped. I do NAT configured with an ACL matching the inside subnet and overloading it to the outside interface of Gig0. Both Hub routers and the Spoke router are sunning EIGRP, the Spoke is obviously configured as an EIGRP Stub.


As for routing – besides EIGRP, I have three static routes configured. One – the default route 0.0.0.0 0.0.0.0 192.168.1.1 – towards the SoHo routers. The other two host based statics basically point each HUB routers public external address to the 192.168.1.1 address of the SoHo router.

 

Ex: IP route 1.1.1.1 255.255.255.255 192.168.1.1

Ex: IP route 2.2.2.2 255.255.255.255 192.168.1.1

 

Like I said if I source the traffic towards Googles pub DNS server of 8.8.8.8 from VLAN1’s interface – I get replies. If I add a host behind VLAN – I only get he gateway then traffic is dropped. Also the SoHo router is running DHCP for the inside clients (a /29).

 

Any help is appreciated – banging my head at this point.

 

Thanks,

Mike 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Mike Hogenauer

‎11-13-2014 03:23 PM

1) first change the NAT/ACL to the following:

ip access-list NAT ext NAT
  deny ip any 10.0.0.0 0.255.255.255
  permit ip 10.57.1.8 0.0.0.7 any
ip nat inside source list NAT interface GigabitEthernet0 overload

2) Your QoS is very likely to be ineffective. It will only protect the voice-trafic when the link to the DSL-router is congested.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎11-12-2014 11:42 PM

It would be easier to assist if you show us your spoke-config.

  1. Does the Client get a valid IP-config?
  2. How do you send the internal DHCP to the SoHo-Router? With an IP-helper on Vlan1? And why don't you use the 892 as the DHCP-server.
  3. Do you see that a translation is build when the client sends traffic to the internet?
  4. Can traffic come back; have you enabled statefull inspection?
0 Helpful

Go to solution
Mike Hogenauer
Level 1
Level 1
In response to Karsten Iwen

‎11-13-2014 07:56 AM

Hi Karsten, 

 

1. The client does get a valid IP config - When I traceroute out the first hop is the VLAN 1 IP. 

2. The Cisco 892 is running DHCP and is servicing clients behind the router. 

3.The Client cant build a connection to the internet  - half of my issue - When i do my debugs - then source traffic from the VLAN 1 interface the ACL for NAT get's incremented and I  can see the debug output. DNS works correctly on the client but Internet traffic is not routing correctly i believe. 

4. I'm looking into the reverse patch for the traffic and I assume that might be the issue - I have not enabled statefull inspection but I can try that. 

 

here is the sanitized spoke config:

no ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.75.1.9
!
ip dhcp pool HBE
 import all
 network 10.75.1.8 255.255.255.248
 dns-server 10.2.10.11 10.2.10.13 
 domain-name iceenterprise.com
 netbios-name-server 10.2.10.11 10.2.10.13 
 netbios-node-type h-node
 default-router 10.75.1.9 
 option 242 ascii MCIPADD=10.2.6.73,MCPORT=1719,HTTPSRVR=10.2.10.61,L2Q=1
 lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name iceenterprise.com
ip multicast-routing 
no ipv6 cef
!
!


class-map match-any VOIP
 match ip dscp ef 
 match ip dscp cs5 
!
!
policy-map VOICE-OUT-POLICY
 class VOIP
  priority 20
 class class-default
  fair-queue
  random-detect dscp-based
!

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile icedmvpn
 set transform-set trans2 
!
!
!
!
!
!
interface Tunnel10
 bandwidth 1000
 ip address 10.6.1.2 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXXXXXXXXXXXXX
 ip nhrp map 10.6.1.1 63.241.163.105
 ip nhrp map multicast 63.241.163.105
 ip nhrp network-id 50
 ip nhrp holdtime 300
 ip nhrp nhs 10.6.1.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile icedmvpn shared
!
interface Tunnel20
 bandwidth 1000
 ip address 10.8.1.2 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXXXXXXXXXXXXX
 ip nhrp map 10.8.1.1 12.152.67.105
 ip nhrp map multicast 12.152.67.105
 ip nhrp network-id 100
 ip nhrp holdtime 300
 ip nhrp nhs 10.8.1.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile icedmvpn shared
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
 spanning-tree portfast
!
interface FastEthernet6
 no ip address
 spanning-tree portfast
!
interface FastEthernet7
 no ip address
 spanning-tree portfast
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description PublicFacing Interface
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 service-policy output VOICE-OUT-POLICY
!         
interface Vlan1
 description Private interface
 ip address 10.75.1.9 255.255.255.248
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
!
router eigrp XXXX
 network 10.6.0.0 0.0.1.255
 network 10.8.0.0 0.0.1.255
 network 10.75.1.8 0.0.0.7
 eigrp stub connected
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 95 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 63.241.163.105 255.255.255.255 192.168.1.1
ip route 12.152.67.105 255.255.255.255 192.168.1.1
!
access-list 95 permit 10.75.1.8 0.0.0.7 log
no cdp run
!

control-plane
!

mgcp profile default
!

line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh

 

Thanks for the assist - i'm sure it's something simple that I'm missing. 

 

Mike 

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mike Hogenauer

‎11-13-2014 08:41 AM

And for the stefull inspection, this is a starting-point:

ip access-list ext OUTSIDE-IN
  permit ip host 12.152.67.105 any
  permit ip host 63.241.163.105 any

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW dns
ip inspect name FW ftp
ip inspect name FW tftp

interface GigabitEthernet0
  ip access-group OUTSIDE-IN in
  ip inspect FW out

With that you could also configure your DSL-router to forward all traffic to the 892. That could make troubleshooting in some situations a little bit easier.

In Router-Mode, there is another way to remove NAT from the 892:

  1. Configure the 892 as an "exposed host" or DMZ-host". The wording is different in the various routers, it just means that all traffic is forwarded to a specific box.
  2. Configure on the DSL-router a static route to your internal network pointing to the 892.

With that, the 892 only has to route the traffic and NAT is only done on the public router.

Or even better, reconfigure the DSL-router to "Bridge"- or "Modem"-Mode. With that you have the public IP active on the 892 and you only have NAT on the 892.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mike Hogenauer

‎11-13-2014 03:23 PM

1) first change the NAT/ACL to the following:

ip access-list NAT ext NAT
  deny ip any 10.0.0.0 0.255.255.255
  permit ip 10.57.1.8 0.0.0.7 any
ip nat inside source list NAT interface GigabitEthernet0 overload

2) Your QoS is very likely to be ineffective. It will only protect the voice-trafic when the link to the DSL-router is congested.

0 Helpful

Go to solution
Mike Hogenauer
Level 1
Level 1
In response to Karsten Iwen

‎11-13-2014 03:23 PM

Thanks Karsten for the help.... The lat Nat Statement did the job! 

Appreciate the help. 

Thanks, 
Mike 

0 Helpful
Customers Also Viewed These Support Documents