Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3434
Views
0
Helpful
9
Replies

DMVPN Split Tunneling

Go to solution
srroeder
Level 1
Level 1

‎03-01-2012 12:01 PM - edited ‎02-21-2020 05:55 PM

Hello,

Thanks in advance for any help you can give.  My company uses DMVPN all over the country to back haul small office traffic to Headquarters.  We back haul all traffic.  Corporate network and Internet traffic for Websense usage.

I have a new site in Mexico that I am trying to drop a router in and we don't want to bring back their Internet traffic just the traffic for our internal network.  I can't seem to get this to work correctly.  No matter what I do all of their traffic comes down the tunnel to HQ.  I am trying to route their Internet traffic out their local ISP.  

Here is the drawing and the config of their spoke router is attached.

Network Diagram.jpg

Labels:
123650-mxprt01.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee
In response to srroeder

‎03-01-2012 12:33 PM

This looks like it's set up properly (all traffic not in those 180.x subnets goes to 192.168.0.1).  Is there some sort of proxy server configuration that would be sending PC internet traffic over the tunnel?

The only other option is that 192.168.0.1 is sending packets back to the HQ somehow.

--Jason

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee

‎03-01-2012 12:14 PM

Can we get a

'show ip route'

from the spoke?  Right now it looks like all traffic not learned via EIGRP should be sent to 192.168.0.1.

0 Helpful

Go to solution
srroeder
Level 1
Level 1
In response to Jason Gervia

‎03-01-2012 12:25 PM

Here you go.....  Thanks.

sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

     180.7.0.0/16 is variably subnetted, 109 subnets, 5 masks
D       180.7.160.0/22 [90/26114816] via 180.7.250.1, 01:34:44, Tunnel0
C       180.7.185.0/24 is directly connected, FastEthernet0/0
D       180.7.180.0/22 [90/26114560] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.179.0/24 [90/26114816] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.140.0/22 [90/25858816] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.139.0/24 [90/25858816] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.159.0/24 [90/26114816] via 180.7.250.1, 01:34:44, Tunnel0
D       180.7.151.0/24 [90/25861120] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.150.0/24 [90/25861120] via 180.7.250.1, 01:34:45, Tunnel0
D       180.7.144.0/22 [90/25858816] via 180.7.250.1, 01:34:45, Tunnel0
S       180.7.253.24/32 [1/0] via 192.168.0.1
S       180.7.254.24/32 [1/0] via 192.168.0.1
D       180.7.253.0/24 [90/25864960] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.255.0/30 [90/25862400] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.254.0/24 [90/25858560] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.251.2/32 [90/25990400] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.249.0/24 [90/26123520] via 180.7.250.1, 00:08:12, Tunnel0
D       180.7.248.0/24 [90/26115072] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.251.1/32 [90/25989120] via 180.7.250.1, 01:34:46, Tunnel0
C       180.7.250.0/24 is directly connected, Tunnel0
D       180.7.241.0/24 [90/25861376] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.240.0/24 [90/25858816] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.243.0/24 [90/26114816] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.242.0/24 [90/26114816] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.201.0/24 [90/25861376] via 180.7.250.1, 01:34:46, Tunnel0
D       180.7.44.0/24 [90/25861376] via 180.7.250.1, 01:34:46, Tunnel0
     172.16.0.0/24 is subnetted, 1 subnets
D EX    172.16.0.0 [170/25861376] via 180.7.250.1, 01:34:47, Tunnel0
     10.0.0.0/24 is subnetted, 1 subnets
D EX    10.254.253.0 [170/25858816] via 180.7.250.1, 01:34:47, Tunnel0
C    192.168.0.0/24 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 192.168.0.1
mxprt01# 

0 Helpful

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee
In response to srroeder

‎03-01-2012 12:33 PM

This looks like it's set up properly (all traffic not in those 180.x subnets goes to 192.168.0.1).  Is there some sort of proxy server configuration that would be sending PC internet traffic over the tunnel?

The only other option is that 192.168.0.1 is sending packets back to the HQ somehow.

--Jason

0 Helpful

Go to solution
srroeder
Level 1
Level 1
In response to Jason Gervia

‎03-01-2012 12:52 PM

I don't know about the proxy server.

This is a real difficult install.  Foreign country ,  different language and language barriers.    I don't have control of the ISP router.   I only know that when they connected the router I shipped them the Tunnel came right up and then they started connecting PCs and got my Corporate Websense login when trying to go to the Internet.

When I traceroute from a PC at their location to an Internet address like 8.8.8.8 ,  the traffic goes straight out the tunnel.

0 Helpful

Go to solution
Jason Gervia
Cisco Employee
Cisco Employee
In response to srroeder

‎03-01-2012 12:59 PM

Strange.  Do a 'show ip cef exact-route SOURCIP 8.8.8.8' and see what you get for an output.

Also put an 'ip flow ingress' on the inbound interface and then do a 'show ip cache flow' and lets see what the source/destination IP addresses coming in that interface are - maybe that will show us where they are actually trying to reach.

0 Helpful

Go to solution
srroeder
Level 1
Level 1
In response to Jason Gervia

‎03-01-2012 06:16 PM

Here are two exact-route  commands,,,   one out to the Internet and one to the Corporate network.

mxprt01#sho ip cef exact-route 180.7.185.221 8.8.8.8
180.7.185.221 -> 8.8.8.8 => IP adj out of FastEthernet0/1, addr 192.168.0.1
mxprt01#sho ip cef exact-route 180.7.185.221 180.7.2.220
180.7.185.221 -> 180.7.2.220 => IP adj out of FastEthernet0/1, addr 192.168.0.1

0 Helpful

Go to solution
srroeder
Level 1
Level 1
In response to Jason Gervia

‎03-04-2012 08:43 AM

Just to update this discussion...............    The original config was correct.  I simply had to have the ISP add route command to their router...

ip route 180.7.185.0 255.255.255.0 192.168.0.32

All is working now,   thanks to everyone....

0 Helpful

Go to solution
Dennis Leon
Cisco Employee
Cisco Employee

‎03-01-2012 01:40 PM

Hello,

I don't see any NAT configuration on this Spoke router, so I'm assuming the NAT for Internet traffic is being done on the ISP's router 192.168.0.1; did you verify that?

Can you post the sh version of the Spoke?

Regards,

DL.

0 Helpful

Go to solution
srroeder
Level 1
Level 1
In response to Dennis Leon

‎03-01-2012 02:14 PM

Sorry about the delay,   I was changing some of the route statements on this router and cut my self off....   had to get them to power cycle.   The spoke config is attached to the first comment in this question.

Thanks

0 Helpful
Customers Also Viewed These Support Documents