09-30-2014 12:26 PM - edited 03-04-2019 11:51 PM
Hi,
I have a dmvpn network, with multiple spokes.
One of them, needs to have a local break out to the internet.
Wasn't able to find a configuration example, so maybe if someone could show how to config it.
Basically what I need is a split tunnel configuration, to redirect the internet traffic outside of the vpn-tunnel.
here's the config of my router,
!
hostname testrouter
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius testradius
server name PRO007
!
!
!
!
no ip domain lookup
ip domain name test-domain
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
!
!
!
!
!
track 1 list threshold percentage
object 101
object 102
delay down 180 up 5
!
track 101 ip sla 1 reachability
!
track 102 ip sla 2 reachability
!
!
!
crypto isakmp policy 10
encr aes 256
group 5
crypto isakmp profile ISAKMP-DMVPN-CA
self-identity fqdn
ca trust-point sec-ca
match identity host domain alert.local
keepalive 60 retry 10
!
!
crypto ipsec transform-set ESP-AES256-SHA-TRANSP esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile ESP-AES256-SHA-CA
set transform-set ESP-AES256-SHA-TRANSP
set isakmp-profile ISAKMP-DMVPN-CA
!
!
!
!
!
!
interface Loopback0
ip address 10.168.244.134 255.255.255.255
!
interface Tunnel0
bandwidth 5000
ip address 10.168.246.134 255.255.254.0
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication DMVPN_05
ip nhrp map 10.168.246.1 xxx.xxx.xxx.xxx
ip nhrp map 10.168.246.2 xxx.xxx.xxx.xxy
ip nhrp map multicast xxx.xxx.xxx.xxx
ip nhrp map multicast xxx.xxx.xxx.xxy
ip nhrp network-id 121
ip nhrp holdtime 600
ip nhrp nhs 10.168.246.1
ip nhrp nhs 10.168.246.2
ip nhrp registration no-unique
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 121
tunnel path-mtu-discovery
tunnel protection ipsec profile ESP-AES256-SHA-CA shared
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp client-id FastEthernet4
ip access-group INET-INBOUND in
no ip proxy-arp
duplex auto
speed auto
!
interface Vlan1
ip address 10.169.6.177 255.255.255.248
no ip proxy-arp
!
router eigrp 1
distribute-list EIGRP-PERMIT-OUT out Tunnel0
network 10.0.0.0
passive-interface default
no passive-interface Tunnel0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route xxx.xxx.xxx.xxy 255.255.255.255 FastEthernet4 dhcp
ip route xxx.xxx.xxx.xxx 255.255.255.255 FastEthernet4 dhcp
ip route xxx.xxx.xxx.xxw 255.255.255.255 FastEthernet4 dhcp
!
ip access-list standard EIGRP-PERMIT-OUT
permit 10.169.0.0 0.0.31.255
permit 10.168.244.0 0.0.1.255
!
ip access-list extended INET-INBOUND
permit udp any any eq bootpc
permit esp host xxx.xxx.xxx.xxy4 any
permit gre host xxx.xxx.xxx.xxy4 any
permit udp host xxx.xxx.xxx.xxy4 eq 2000 any
permit udp host xxx.xxx.xxx.xxy4 any eq isakmp
permit udp host xxx.xxx.xxx.xxy4 any eq non500-isakmp
permit esp host xxx.xxx.xxx.xxy5 any
permit gre host xxx.xxx.xxx.xxy5 any
permit udp host xxx.xxx.xxx.xxy5 eq 2000 any
permit udp host xxx.xxx.xxx.xxy5 any eq isakmp
permit udp host xxx.xxx.xxx.xxy5 any eq non500-isakmp
permit tcp host 193.164.88.196 eq www any
permit udp host 193.164.88.196 eq 123 any
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded
deny ip 10.0.0.0 0.0.0.255 any
deny ip 172.16.0.0 0.0.16.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip any any
!
ip radius source-interface Tunnel0
ip sla 1
udp-echo 10.168.246.1 2000 control disable
threshold 3000
timeout 3500
frequency 4
ip sla schedule 1 life forever start-time now
ip sla 2
udp-echo 10.168.246.1 2000 control disable
threshold 3000
timeout 3500
frequency 4
ip sla schedule 2 life forever start-time now
!
!
!
!
!
!
!
snmp-server community rvssnmp RO
snmp-server location BX
snmp-server contact Securitas RVS team
!
radius server SECEUAD001
address ipv4 193.164.88.2 auth-port 1645 acct-port 1646
key 0 V8gUp9avUruprec
!
!
!
!
line con 0
exec-timeout 60 0
privilege level 15
line aux 0
line vty 0 4
exec-timeout 60 0
transport input telnet ssh
transport output telnet ssh
!
ntp server 10.168.246.1
ntp server 10.168.246.2
ntp server 193.164.88.196
ntp update-calendar
end
!
Solved! Go to Solution.
10-02-2014 07:42 AM
That's how it would work by default.
Only tunnel IPs and those defined by EIGRP will go through the Tunnel interface.
Please provide output of show ip route to see your gateway of last resort..
10-02-2014 07:42 AM
That's how it would work by default.
Only tunnel IPs and those defined by EIGRP will go through the Tunnel interface.
Please provide output of show ip route to see your gateway of last resort..
10-08-2014 10:46 AM
HI Adam,
Problem solved !
THX
10-08-2014 10:48 AM
Happy to hear it!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: