I have a single Spoke (for now) that I’m testing with, I’m running Phase 2 DMVPN and I have two tunnels built on the Spoke router. Tunnel 10 goes to DC1 and Tunnel 20 goes to DC2.
The Spoke router is sitting behind a normal SoHo Linksys routers and the outside interface Gig0 – is set for IP address dhcp. DC1 -- > tunnel prefix is 10.16.1.0/23 DC2 tunnel prefix is 10.8.1.0/23.
The spoke router is a Cisco 892 – the outside interface (tunnel source) is Gig0. The inside interface is a VLAN 1 which has 8 FE ports. If I source pings to 18.104.22.168 for example from the outside interface traffic takes the default route – through the SoHo router. If I source the traffic from the VLAN 1 interface – it also takes the same route – the default route. If I connect a PC behind the router and trace to 22.214.171.124, first Hop is the VLAN interface and then all traffic is dropped. I do NAT configured with an ACL matching the inside subnet and overloading it to the outside interface of Gig0. Both Hub routers and the Spoke router are sunning EIGRP, the Spoke is obviously configured as an EIGRP Stub.
As for routing – besides EIGRP, I have three static routes configured. One – the default route 0.0.0.0 0.0.0.0 192.168.1.1 – towards the SoHo routers. The other two host based statics basically point each HUB routers public external address to the 192.168.1.1 address of the SoHo router.
Ex: IP route 126.96.36.199 255.255.255.255 192.168.1.1
Ex: IP route 188.8.131.52 255.255.255.255 192.168.1.1
Like I said if I source the traffic towards Googles pub DNS server of 184.108.40.206 from VLAN1’s interface – I get replies. If I add a host behind VLAN – I only get he gateway then traffic is dropped. Also the SoHo router is running DHCP for the inside clients (a /29).
Any help is appreciated – banging my head at this point.
1. The client does get a valid IP config - When I traceroute out the first hop is the VLAN 1 IP.
2. The Cisco 892 is running DHCP and is servicing clients behind the router.
3.The Client cant build a connection to the internet - half of my issue - When i do my debugs - then source traffic from the VLAN 1 interface the ACL for NAT get's incremented and I can see the debug output. DNS works correctly on the client but Internet traffic is not routing correctly i believe.
4. I'm looking into the reverse patch for the traffic and I assume that might be the issue - I have not enabled statefull inspection but I can try that.
here is the sanitized spoke config:
no ip source-route ! ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.75.1.9 ! ip dhcp pool HBE import all network 10.75.1.8 255.255.255.248 dns-server 10.2.10.11 10.2.10.13 domain-name iceenterprise.com netbios-name-server 10.2.10.11 10.2.10.13 netbios-node-type h-node default-router 10.75.1.9 option 242 ascii MCIPADD=10.2.6.73,MCPORT=1719,HTTPSRVR=10.2.10.61,L2Q=1 lease 0 2 ! ! ip cef no ip domain lookup ip domain name iceenterprise.com ip multicast-routing no ipv6 cef ! !
class-map match-any VOIP match ip dscp ef match ip dscp cs5 ! ! policy-map VOICE-OUT-POLICY class VOIP priority 20 class class-default fair-queue random-detect dscp-based ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key XXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set trans2 esp-aes esp-sha-hmac mode transport ! crypto ipsec profile icedmvpn set transform-set trans2 ! ! ! ! ! ! interface Tunnel10 bandwidth 1000 ip address 10.6.1.2 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication XXXXXXXXXXXXXX ip nhrp map 10.6.1.1 220.127.116.11 ip nhrp map multicast 18.104.22.168 ip nhrp network-id 50 ip nhrp holdtime 300 ip nhrp nhs 10.6.1.1 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile icedmvpn shared ! interface Tunnel20 bandwidth 1000 ip address 10.8.1.2 255.255.254.0 no ip redirects ip mtu 1400 ip nhrp authentication XXXXXXXXXXXXXX ip nhrp map 10.8.1.1 22.214.171.124 ip nhrp map multicast 126.96.36.199 ip nhrp network-id 100 ip nhrp holdtime 300 ip nhrp nhs 10.8.1.1 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0 tunnel mode gre multipoint tunnel key 100001 tunnel protection ipsec profile icedmvpn shared ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address spanning-tree portfast ! interface FastEthernet1 no ip address spanning-tree portfast ! interface FastEthernet2 no ip address spanning-tree portfast ! interface FastEthernet3 no ip address spanning-tree portfast ! interface FastEthernet4 no ip address spanning-tree portfast ! interface FastEthernet5 no ip address spanning-tree portfast ! interface FastEthernet6 no ip address spanning-tree portfast ! interface FastEthernet7 no ip address spanning-tree portfast ! interface FastEthernet8 no ip address duplex auto speed auto ! interface GigabitEthernet0 description PublicFacing Interface ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto no cdp enable service-policy output VOICE-OUT-POLICY ! interface Vlan1 description Private interface ip address 10.75.1.9 255.255.255.248 ip pim dense-mode ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! ! router eigrp XXXX network 10.6.0.0 0.0.1.255 network 10.8.0.0 0.0.1.255 network 10.75.1.8 0.0.0.7 eigrp stub connected ! ip forward-protocol nd ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 95 interface GigabitEthernet0 overload ip route 0.0.0.0 0.0.0.0 192.168.1.1 ip route 188.8.131.52 255.255.255.255 192.168.1.1 ip route 184.108.40.206 255.255.255.255 192.168.1.1 ! access-list 95 permit 10.75.1.8 0.0.0.7 log no cdp run !
mgcp profile default !
line con 0 login local line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh
Thanks for the assist - i'm sure it's something simple that I'm missing.
And for the stefull inspection, this is a starting-point:
ip access-list ext OUTSIDE-IN
permit ip host 220.127.116.11 any
permit ip host 18.104.22.168 any
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW dns
ip inspect name FW ftp
ip inspect name FW tftp
ip access-group OUTSIDE-IN in
ip inspect FW out
With that you could also configure your DSL-router to forward all traffic to the 892. That could make troubleshooting in some situations a little bit easier.
In Router-Mode, there is another way to remove NAT from the 892:
Configure the 892 as an "exposed host" or DMZ-host". The wording is different in the various routers, it just means that all traffic is forwarded to a specific box.
Configure on the DSL-router a static route to your internal network pointing to the 892.
With that, the 892 only has to route the traffic and NAT is only done on the public router.
Or even better, reconfigure the DSL-router to "Bridge"- or "Modem"-Mode. With that you have the public IP active on the 892 and you only have NAT on the 892.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...