×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VLAN behind DMVPN cannot get to Internet

Answered Question
Nov 12th, 2014
User Badges:

I have a single Spoke (for now) that I’m testing with, I’m running Phase 2 DMVPN and I have two tunnels built on the Spoke router. Tunnel 10 goes to DC1 and Tunnel 20 goes to DC2.

The Spoke router is sitting behind a normal SoHo Linksys routers and the outside interface Gig0 – is set for IP address dhcp. DC1 -- > tunnel prefix is 10.16.1.0/23 DC2 tunnel prefix is 10.8.1.0/23.

 

The spoke router is a Cisco 892 – the outside interface (tunnel source) is Gig0. The inside interface is a VLAN 1 which has 8 FE ports. If I source pings to 8.8.8.8 for example from the outside interface traffic takes the default route – through the SoHo router. If I source the traffic from the VLAN 1 interface – it also takes the same route – the default route. If I connect a PC behind the router and trace to 8.8.8.8, first Hop is the VLAN interface and then all traffic is dropped. I do NAT configured with an ACL matching the inside subnet and overloading it to the outside interface of Gig0. Both Hub routers and the Spoke router are sunning EIGRP, the Spoke is obviously configured as an EIGRP Stub.


As for routing – besides EIGRP, I have three static routes configured. One – the default route 0.0.0.0 0.0.0.0 192.168.1.1 – towards the SoHo routers. The other two host based statics basically point each HUB routers public external address to the 192.168.1.1 address of the SoHo router.

 

Ex: IP route 1.1.1.1 255.255.255.255 192.168.1.1

Ex: IP route 2.2.2.2 255.255.255.255 192.168.1.1

 

Like I said if I source the traffic towards Googles pub DNS server of 8.8.8.8 from VLAN1’s interface – I get replies. If I add a host behind VLAN – I only get he gateway then traffic is dropped. Also the SoHo router is running DHCP for the inside clients (a /29).

 

Any help is appreciated – banging my head at this point.

 

Thanks,

Mike 


Correct Answer by Karsten Iwen about 2 years 9 months ago

1) first change the NAT/ACL to the following:

ip access-list NAT ext NAT
  deny ip any 10.0.0.0 0.255.255.255
  permit ip 10.57.1.8 0.0.0.7 any
ip nat inside source list NAT interface GigabitEthernet0 overload

2) Your QoS is very likely to be ineffective. It will only protect the voice-trafic when the link to the DSL-router is congested.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Karsten Iwen Wed, 11/12/2014 - 23:42
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

It would be easier to assist if you show us your spoke-config.

  1. Does the Client get a valid IP-config?
  2. How do you send the internal DHCP to the SoHo-Router? With an IP-helper on Vlan1? And why don't you use the 892 as the DHCP-server.
  3. Do you see that a translation is build when the client sends traffic to the internet?
  4. Can traffic come back; have you enabled statefull inspection?
Mike Hogenauer Thu, 11/13/2014 - 07:56
User Badges:

Hi Karsten, 

 

1. The client does get a valid IP config - When I traceroute out the first hop is the VLAN 1 IP. 

2. The Cisco 892 is running DHCP and is servicing clients behind the router. 

3.The Client cant build a connection to the internet  - half of my issue - When i do my debugs - then source traffic from the VLAN 1 interface the ACL for NAT get's incremented and I  can see the debug output. DNS works correctly on the client but Internet traffic is not routing correctly i believe. 

4. I'm looking into the reverse patch for the traffic and I assume that might be the issue - I have not enabled statefull inspection but I can try that. 

 

here is the sanitized spoke config:

no ip source-route
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.75.1.9
!
ip dhcp pool HBE
 import all
 network 10.75.1.8 255.255.255.248
 dns-server 10.2.10.11 10.2.10.13 
 domain-name iceenterprise.com
 netbios-name-server 10.2.10.11 10.2.10.13 
 netbios-node-type h-node
 default-router 10.75.1.9 
 option 242 ascii MCIPADD=10.2.6.73,MCPORT=1719,HTTPSRVR=10.2.10.61,L2Q=1
 lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name iceenterprise.com
ip multicast-routing 
no ipv6 cef
!
!


class-map match-any VOIP
 match ip dscp ef 
 match ip dscp cs5 
!
!
policy-map VOICE-OUT-POLICY
 class VOIP
  priority 20
 class class-default
  fair-queue
  random-detect dscp-based
!

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile icedmvpn
 set transform-set trans2 
!
!
!
!
!
!
interface Tunnel10
 bandwidth 1000
 ip address 10.6.1.2 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXXXXXXXXXXXXX
 ip nhrp map 10.6.1.1 63.241.163.105
 ip nhrp map multicast 63.241.163.105
 ip nhrp network-id 50
 ip nhrp holdtime 300
 ip nhrp nhs 10.6.1.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile icedmvpn shared
!
interface Tunnel20
 bandwidth 1000
 ip address 10.8.1.2 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication XXXXXXXXXXXXXX
 ip nhrp map 10.8.1.1 12.152.67.105
 ip nhrp map multicast 12.152.67.105
 ip nhrp network-id 100
 ip nhrp holdtime 300
 ip nhrp nhs 10.8.1.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0
 tunnel mode gre multipoint
 tunnel key 100001
 tunnel protection ipsec profile icedmvpn shared
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
 spanning-tree portfast
!
interface FastEthernet3
 no ip address
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 spanning-tree portfast
!
interface FastEthernet5
 no ip address
 spanning-tree portfast
!
interface FastEthernet6
 no ip address
 spanning-tree portfast
!
interface FastEthernet7
 no ip address
 spanning-tree portfast
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description PublicFacing Interface
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 service-policy output VOICE-OUT-POLICY
!         
interface Vlan1
 description Private interface
 ip address 10.75.1.9 255.255.255.248
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
!
router eigrp XXXX
 network 10.6.0.0 0.0.1.255
 network 10.8.0.0 0.0.1.255
 network 10.75.1.8 0.0.0.7
 eigrp stub connected
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 95 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 63.241.163.105 255.255.255.255 192.168.1.1
ip route 12.152.67.105 255.255.255.255 192.168.1.1
!
access-list 95 permit 10.75.1.8 0.0.0.7 log
no cdp run
!

control-plane
!

mgcp profile default
!

line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh

 

Thanks for the assist - i'm sure it's something simple that I'm missing. 

 

Mike 

 

 

Correct Answer
Karsten Iwen Thu, 11/13/2014 - 15:28
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

1) first change the NAT/ACL to the following:

ip access-list NAT ext NAT
  deny ip any 10.0.0.0 0.255.255.255
  permit ip 10.57.1.8 0.0.0.7 any
ip nat inside source list NAT interface GigabitEthernet0 overload

2) Your QoS is very likely to be ineffective. It will only protect the voice-trafic when the link to the DSL-router is congested.

Mike Hogenauer Thu, 11/13/2014 - 15:23
User Badges:

Thanks Karsten for the help.... The lat Nat Statement did the job! 

Appreciate the help. 

Thanks, 
Mike 

Karsten Iwen Thu, 11/13/2014 - 08:41
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

And for the stefull inspection, this is a starting-point:

ip access-list ext OUTSIDE-IN
  permit ip host 12.152.67.105 any
  permit ip host 63.241.163.105 any

ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW dns
ip inspect name FW ftp
ip inspect name FW tftp

interface GigabitEthernet0
  ip access-group OUTSIDE-IN in
  ip inspect FW out

With that you could also configure your DSL-router to forward all traffic to the 892. That could make troubleshooting in some situations a little bit easier.

In Router-Mode, there is another way to remove NAT from the 892:

  1. Configure the 892 as an "exposed host" or DMZ-host". The wording is different in the various routers, it just means that all traffic is forwarded to a specific box.
  2. Configure on the DSL-router a static route to your internal network pointing to the 892.

With that, the 892 only has to route the traffic and NAT is only done on the public router.

Or even better, reconfigure the DSL-router to "Bridge"- or "Modem"-Mode. With that you have the public IP active on the 892 and you only have NAT on the 892.

Actions

This Discussion