Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
1
Replies

DMVPN behind NAT is registering private IP

Brian M
Level 1
Level 1

‎09-25-2008 12:30 PM - edited ‎03-09-2019 09:33 PM

I have a DMVPN behind a NAT and when it connects to the hub it's registering its private address.

Routing is working fine to the hub, but when another spoke attempts to contact it, it cannot because all it knows about is the private IP.

Is there any way to register the IKE negotiated address or have NHRP work properly behind a NAT?

!

hostname BRIVPN02

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

!

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.30.2.1 10.30.2.199

!

ip dhcp pool DHCP

network 10.30.2.0 255.255.255.0

dns-server 172.27.10.31 172.27.10.32 208.200.199.3

default-router 10.30.2.1

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ABS16855 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ABS esp-3des esp-md5-hmac

!

crypto ipsec profile ABS

set security-association lifetime seconds 600

set transform-set ABS

!

!

archive

log config

hidekeys

!

!

ip ssh version 2

!

bridge irb

!

!

interface Tunnel0

ip address 172.25.254.11 255.255.254.0

no ip redirects

ip mtu 1440

ip nhrp authentication ABS_NET

ip nhrp map multicast dynamic

ip nhrp map multicast 66.54.184.15

ip nhrp map 172.25.254.2 66.54.184.15

ip nhrp network-id 1

ip nhrp nhs 172.25.254.2

ip nhrp shortcut

ip nhrp redirect

no ip split-horizon eigrp 10

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile ABS

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.30.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 10

network 10.30.2.0 0.0.0.255

network 172.25.0.0

no auto-summary

eigrp router-id 172.25.254.11

!

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map NAT interface FastEthernet4 overload

!

ip access-list extended NAT

permit ip 10.30.2.0 0.0.0.255 any

!

!

!

!

route-map NAT permit 10

match ip address NAT

!

!

control-plane

!

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

transport input ssh

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
1 Reply 1

Brian M
Level 1
Level 1

‎09-25-2008 02:19 PM

I figured it out, by setting my IPSEC mode to transport it started registering the real IP address but now for some reason my EIGRP is only passing a small portion of routes.

0 Helpful
Customers Also Viewed These Support Documents