DMVPN and NAT (PAT) 2
Telnet to Head Quarter's routers
・Use DMVPN Phase3 with OSPF
・SITE to SITE packets are encrypted.
・Spokes can transit their traffic to other spoke directly.
・Branch routers can login for R1 by telnet 10.0.0.1 command,
and login R11 by telnet 10.0.0.1 1234 command.
Initial Set Up
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
ip nhrp redirect
ip ospf network point-to-multipoint
tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport crypto ipsec profile PROFILE set transform-set TRANS interface Tunnel0 tunnel protection ipsec profile PROFILE
R11 interface FastEthernet0/0 ip address 192.168.1.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
R22 interface FastEthernet0/0 ip address 192.168.2.22 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.2.2
R33 interface FastEthernet0/0 ip address 192.168.3.33 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.3.3
Set Static PAT on R1
Set NAT on R1 to access for TCP port 23 on R11
when branch routers access for TCP port 1234 on R1.
ip nat inside destination command can NOT translate port number, so you should use ip nat inside source command.
NAT is commonly used to translate Source IP address when traffic send from inside(Private-network) to outside(Internet).
There are TWO types of NAT, Static and Dynamic.
Static NAT translates Source IP address when traffic send from inside to outside. And it translates Destination IP address when traffic send from outside to inside.
Dynatic NAT translates Source IP address when traffic send from inside to outside, and it translates Destination IP address when its return packets send from outside to inside. It can NOT traslate Destination IP address when first traffic send from outside to inside.
So you should use Static NAT to translate Destination IP address on inside. Furthermore, use PAT to change Destination port number in this case.
R1
ip nat inside source static tcp 192.168.1.11 23 10.0.0.1 1234
interface FastEthernet0/1
ip nat inside
interface Tunnel0 ip nat outside
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
R1 which configured Static PAT
translates Destination IP address of packets that received via tunnel0 to 192.168.1.11, and changes Destination Port Number to 23.
Set R1 and R11 to be able to accept telnet.
R1/R11 line vty 0 4 password CCIE login
Telnet from R22
R22#telnet 10.0.0.1 Trying 10.0.0.1 ... Open
User Access Verification
Password: (Enter 'CCIE')
R1>
R22 can login on R1 when you do telnet 10.0.0.1.
Packet capture interface F0/0 on R1
Disable encryption
R1/R2/R3 int tun0 no tunnel protection ipsec profile PROFILE
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
Packets are NOT translated.
Telnet to port 1234
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>
R22 can login on R11 when you do telnet 10.0.0.1 1234.
Packet capture interface F0/0 on R1
Packet capture interface F0/1 on R1
Packets are translated Destination IP address from 10.0.0.1 to 192.168.1.11
and Destination Port number from 1234 to 23 by Static PAT, and are sent to R11.
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 10.0.0.1:1234 192.168.1.11:23 192.168.2.22:17379 192.168.2.22:17379 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
Check from R33
R33#telnet 10.0.0.1 Trying 10.0.0.1 ... Open
User Access Verification
Password: (Enter 'CCIE') R1>
R33#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global tcp 10.0.0.1:1234 192.168.1.11:23 192.168.3.33:58279 192.168.3.33:58279 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
R33 as well.
