08-28-2006 06:53 PM - edited 02-21-2020 02:35 PM
I have a hub and spoke network with GRE tunnels and EIGRP running to 28 sites from my head end. I have been asked to look into allowing several corporate types to tunnel into our VPN (so they can use Cisco Voice in their home offices). I have successfully implimented this with some surplus 806 routers for 2 such locations that have static IP Addresses and it works great. Now I am faced with a third site that has Dynamic IP Addressing on the outside interface. I tryed experimenting with DMVPN but the 806 does not seem to support NHRP. Is there any way to support a remote site that has dynamically assigned IP address?
My existing configs for Static IP Sites look something like this:
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Myers-VPN
!
boot-start-marker
boot-end-marker
!
!
clock timezone PST -8
clock summer-time PDT recurring
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.31.1 192.168.31.99
!
ip dhcp pool CLIENT
network 192.168.31.0 255.255.255.0
domain-name wsi.local
default-router 192.168.31.3
netbios-name-server 192.168.1.5
dns-server 192.168.1.5
option 150 ip 192.168.1.88 192.168.1.87
lease infinite
!
!
ip domain name wsi.local
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
class-map match-all Myers-VPN
match access-group 150
!
!
policy-map VPN-tunnel-shapping-990
description bandwidth shaping for Myers
class Myers-VPN
shape peak 1536000
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key MyKeyISHere address xxx.xxx.xxx.xxx (Head End IP)
no crypto isakmp ccm
!
!
crypto ipsec transform-set MyTransformIsHere esp-3des esp-md5-hmac
!
crypto map Myers-VPN 990 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set MyTransformIsHere
match address 151
!
!
!
interface Tunnel990
description To MSO Cutthroat_vpn - IP addr xxx.xxx.xxx.xxx
ip address 192.168.201.246 255.255.255.252
service-policy output VPN-tunnel-shapping-990
ip mtu 1390
load-interval 30
keepalive 5 4
tunnel source Ethernet1
tunnel destination xxx.xxx.xxx.xxx
crypto map Myers-VPN
!
interface Ethernet0
description To Jim's PC
ip address 192.168.31.3 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description To WSI Corp VPN via Internet
ip address xxx.xxx.xxx.xxx 255.255.248.0
ip nat outside
ip virtual-reassembly
crypto map Myers-VPN
!
router eigrp 316
passive-interface Ethernet1
network 192.168.31.0
network 192.168.201.0
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
ip route xxx.xxx.xxx.xxx 255.255.255.255 xxx.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 Tunnel990
ip route xxx.xxx.xxx.xxx 255.255.248.0 xxx.xxx.xxx.xxx
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Ethernet1 overload
!
logging trap warnings
logging 192.168.1.70
access-list 140 deny ip 192.168.31.0 0.0.0.255 10.125.0.0 0.0.255.255
access-list 140 deny ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 140 permit ip 192.168.31.0 0.0.0.255 any
access-list 150 permit ip any any
access-list 151 permit gre host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
snmp-server community readonly RO
snmp-server community readwrite RW
route-map nonat permit 10
match ip address 140
!
Any wonderful Ideas out there?
08-29-2006 08:20 AM
Configuring Router-to-Router Dynamic-to-Static IPSec with NAT
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide