DMVPN and NAT (PAT)
Use Head Quarter's INTERNET-GW
・Use DMVPN Phase3 with OSPF
・SITE to SITE packets are encrypted.
・Spokes can transit their traffic to other spoke directly.
・Each BRANCH can connect the internet via only Head Quarter's INTERNET-GW,
and SPOKE's private IP addresses are translated Head Quarter's global IP address.
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
ip ospf network point-to-multipoint
tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1 ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport crypto ipsec profile PROFILE set transform-set TRANS interface Tunnel0 tunnel protection ipsec profile PROFILE
ISP
interface FastEthernet0/0 ip address 155.0.0.254 255.255.255.0
interface FastEthernet0/1 ip address 8.8.8.8 255.255.255.0
Set NAT(PAT) and default route on R1
R1
ip nat inside source list pool1 interface f0/0 overload
ip access-list standard pool1 permit 192.168.0.0 0.0.3.255
interface FastEthernet0/0 ip nat outside
interface FastEthernet0/1
ip nat inside
ip route 0.0.0.0 0.0.0.0 155.0.0.254
R1#ping 8.8.8.8 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/64 ms
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 155.0.0.1:5 192.168.1.1:5 8.8.8.8:5 8.8.8.8:5
R1#traceroute 8.8.8.8 source f0/1 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 155.0.0.254 48 msec 60 msec 68 msec
Set default route at SPOKEs.
R2/R3 ip route 0.0.0.0 0.0.0.0 192.168.1.1
R2#traceroute 8.8.8.8 source f0/1 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 140 msec 128 msec 132 msec 2 * * * 3 * * *
Packets can reach HQ's tunnel 0 interface,
but they can NOT receive 'ICMP time exceed packets' from ISP.
R2#sh ip route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1
O IA 192.168.0.0/16 [110/1001] via 10.0.0.1, 01:18:21, Tunnel0
Packets are transfered to default route, tunnel 0 interface,
so they are encrypted.
When they reach HQ's tunnel 0 interface,
they are decrypted.
Tunnel 0 inteface on R1 is NOT included 'ip nat inside', so packets are transfered as original source IP address.
Therefore ICMP echo reply packets can NOT return.
Set 'ip nat inside' command to tunnel 0 interface on R1.
R1 interface tunnel 0 ip nat inside
R1#clear ip nat translation *
R2#ping 8.8.8.8 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.2.2 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 96/130/192 ms
Packets are translated 155.0.0.1 because they were reached tunnel 0 interface which configured 'ip nat inside' command and they were included list pool1.
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 155.0.0.1:2 192.168.2.2:2 8.8.8.8:2 8.8.8.8:2
R2#traceroute 8.8.8.8 source f0/1 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 244 msec 176 msec 144 msec 2 155.0.0.254 140 msec 140 msec 192 msec
R3 is similar.
R3#ping 8.8.8.8 source f0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.3.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 100/120/132 ms
R3#traceroute 8.8.8.8 source f0/1 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 10.0.0.1 132 msec 152 msec 144 msec 2 155.0.0.254 184 msec 144 msec 192 msec
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global icmp 155.0.0.1:2 192.168.3.3:2 8.8.8.8:2 8.8.8.8:2 udp 155.0.0.1:49164 192.168.3.3:49164 8.8.8.8:33437 8.8.8.8:33437 udp 155.0.0.1:49165 192.168.3.3:49165 8.8.8.8:33438 8.8.8.8:33438
udp 155.0.0.1:49166 192.168.3.3:49166 8.8.8.8:33439 8.8.8.8:33439
udp 155.0.0.1:49171 192.168.3.3:49171 8.8.8.8:33437 8.8.8.8:33437 udp 155.0.0.1:49172 192.168.3.3:49172 8.8.8.8:33438 8.8.8.8:33438 udp 155.0.0.1:49173 192.168.3.3:49173 8.8.8.8:33439 8.8.8.8:33439
