cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
4
Replies

DMVPN and NAT

desmond.liew
Level 1
Level 1

Hi All,

I am trying out a simulation on my own at the moment to try figure out if it is possible for a Router at a branch office running DMVPN to have a NAT setting such that if anyone accesses this NAT, it will be directed to a server at the HQ office.

Here is the full picture. I have multiple spokes in my DMVPN design with a single Hub. All spokes are able to access each other so this is a full mesh design. Each routers have their own Internet access so I would have a NAT Overload rule. In the real world, two of the spokes (SPOKE A & B) needs to route via one of these spoke (SPOKE C) in order to reach the hub because latency-wise, it is way better than going direct. Because the management now wants to build more web services but allow Internet users to access via one of the the remote spokes at SPOKE A & B. Sounds easy if i create a static NAT but if I create a static NAT rule at one of the remote spokes, the return traffic will be asymmetric. Problem is that every routers will have their own Internet access, by the time the return traffic heads back, the hub router would have already routed out via its own Internet because the source IP is public.

Is there anyway that we can configure the NAT rule on the remote spokes so that it will also do a source NAT together with a destination NAT so that the return traffic will return to where it originated from (the remote spoke which has the static NAT)? Or is there any alternative solution? I don't mind hearing the pro and cons.

Thanks in advance!

Sent from Cisco Technical Support iPad App

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Desmond,

In fact running overload in the other direction (NAT overload all internet hosts) would be a possible way to grant packet affinity.

One other idea ... reverse-proxy'ing/LBing on spoke sides. So it would be the proxy/LB reaching to the end servers.

The only thing you'd need to do is NAT from internet to proxy/LB.

Marcin

(edit: There are probably quite a few more ways, I just wanted to start some brain storming)

Hi Marcin,

I went to read about all the possibilities you mentioned.

When you mentioned reverse proxy, I searched for 'cisco iOS reverse proxy' and I found a document from Cisco which talks about using WCCP. If I am not wrong, the endpoint server needs to support WCCP and certain protocols are supported (TCP80 and some others) depending on the version used. May not work.

The LB feature sounds promising but applies to Cisco's more beefier models. I have Cisco 1921 and 891 at the spokes. I tried issuing the 'ip slb' command but the feature doesn't exist. Too bad.

The last idea is the NAT idea. I am not sure how to implement this since I have already defined 'ip nat outside' and 'ip nat inside' on my outside and inside interfaces respectively.

Sent from Cisco Technical Support iPad App

Hi Marcin,

Regarding the NAT you mentioned, did you mean doing a PAT (similar to a NAT Overload) but in the opposite direction? NAT Overload tends to be from inside translating many internal addresses to a single inside global registered IP address (public IP address). Did you mean doing a NAT Overload from my outside to inside. So my ACL would match from ANY to or something like that?

Sent from Cisco Technical Support iPad App

Desmond,

I hope I'm understanding the problem :-)

Mind that I'm talking about concepts here, I think technically those will work, but it's not something I've tested.

Re. idea 1)

When I was suggesting reverse proxy I was not suggesting WCCP, although it would be cool :-)

NAT + Squid would be sufficent.

I.e.

Say the real sever IP is A.

Squid's private IP address is B.

Squid's public IP is C.

What I had it mind is that when connecting on spoke X, everyone would be using IP address of C (from outside/DMVPN).

That would be statically translated to B.

Now B would go to A (real or private) to get to the actual content (you can also implment cache'ing on squid to further optimize the link utilization).

A replies to B, B replies to whoever contacted them over internet (by going out through NAT).

Re. idea 2

Switching to NVI NAT could be an idea, you don't have to specify "inside" and  "outside".

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: