DMVPN and NAT 3
Telnet to Head Quarter's routers and Source NAT
・Use DMVPN Phase3 with OSPF
・SITE to SITE packets are encrypted.
・Spokes can transit their traffic to other spoke directly.
・Branch routers can login for R1 by telnet 10.0.0.1 command,
and login R11 by telnet 10.0.0.1 1234 command.
・Configure R1 that Source IP address on R22 apears as 8.8.8.8, if R22 login to R11.
・Note that 8.8.8.8 NOT exist in this topology.
Initial Set Up
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
ip nhrp redirect
ip ospf network point-to-multipoint
tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport crypto ipsec profile PROFILE set transform-set TRANS interface Tunnel0 tunnel protection ipsec profile PROFILE
R11 interface FastEthernet0/0 ip address 192.168.1.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
R22 interface FastEthernet0/0 ip address 192.168.2.22 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.2.2
R33 interface FastEthernet0/0 ip address 192.168.3.33 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.3.3
R1 ip nat inside source static tcp 192.168.1.11 23 10.0.0.1 1234 interface FastEthernet0/1 ip nat inside
interface Tunnel0 ip nat outside
R1/R11 line vty 0 4 password CCIE login
Telnet R11 from R22/R33
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>
R33#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>
R11>show users Line User Host(s) Idle Location 0 con 0 idle 00:03:14 * 2 vty 0 idle 00:00:00 192.168.2.22 3 vty 1 idle 00:00:06 192.168.3.33
Translate R22's Source IP address to 8.8.8.8
Use ip nat outside source static command to translate Source IP address
when traffic send from outside to inside.
And it also changes Destination IP address when traffic send from inside to outside.
In this case, you don't have to change port number.
Configure ip nat outside source static command on R1
R1
ip nat outside source static 192.168.2.22 8.8.8.8
R1#clear ip nat translation *
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
Telnet R1 from R22
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... % Connection timed out; remote host not responding
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 tcp 10.0.0.1:1234 192.168.1.11:23 8.8.8.8:57990 192.168.2.22:57990 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
R1 changed Source IP address to 8.8.8.8.
Capture pakets on R11
R11 received Packets which was changed Source IP address, and sent return packets.
R1 checks own routing table about Destination IP address of packets which recieved via inside interface before translation. Packets which sent from inside to outside are proccessed routing before NAT translation. ■Cisco.com NAT Order of Operation https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html#topic1
R1 don't have route to 8.8.8.8, so packets are discarded.
R1 sent ICMP Destination unreachable to R11.
Configure static route to 8.8.8.8
R1 ip route 8.8.8.8 255.255.255.255 10.0.0.2
R1#sh ip route
S 8.8.8.8 [1/0] via 10.0.0.2
:
O 10.0.0.2/32 [110/1000] via 10.0.0.2, 00:30:04, Tunnel0
R1#sh ip route 8.8.8.8 Routing entry for 8.8.8.8/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 10.0.0.2 Route metric is 0, traffic share count is 1
R1#sh ip route 10.0.0.2 Routing entry for 10.0.0.2/32 Known via "ospf 123", distance 110, metric 1000, type intra area Last update from 10.0.0.2 on Tunnel0, 00:30:49 ago Routing Descriptor Blocks: * 10.0.0.2, from 2.2.2.2, 00:30:49 ago, via Tunnel0 Route metric is 1000, traffic share count is 1
R1 send traffic to the Tunnel 0 interface according to the routing table. Since the ip nat outside command is set on Tunnel 0 interface, NAT table is referenced and a packet is sent with the Destination IP address translated from outside local: 8.8.8.8 to outside global: 192.168.2.22.
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>show users Line User Host(s) Idle Location 0 con 0 idle 00:43:29 * 2 vty 0 idle 00:00:00 8.8.8.8
R22 can do telnet, and Location is 8.8.8.8.
R33#telnet 10.0.0.1 1234
Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>show users Line User Host(s) Idle Location 0 con 0 idle 00:44:43 2 vty 0 idle 00:01:14 8.8.8.8 * 3 vty 1 idle 00:00:00 192.168.3.33
R33 can do telnet too, but Source IP address NOT translate.
Disable encryption and packet capture
R1/R2/R3 int tun0 no tunnel protection ipsec profile PROFILE
Packet capture f0/0 interface on R1
The Destination IP address of TCP SYN/ACK packet from R11 was translated to 192.168.2.22 by R1, and was sent with capsuling.
Extremely inportant point is that 8.8.8.8 NOT exist in this topology actually.
R11 looks like to be communicating with 8.8.8.8.
R11#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 268/407/676 ms
R11#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 244 msec 396 msec 328 msec 2 10.0.0.2 404 msec 548 msec 340 msec 3 8.8.8.8 676 msec 520 msec 628 msec
Actually, R11 is communicating with 192.168.2.22 :R22.
Configure 'add-route' option
Static route which set next-hop of outside local(8.8.8.8)
to outside global(192.168.2.22) is genarated, when add-route option set with 'ip nat outside source static' command.
R1(config)#ip nat outside source static 192.168.2.22 8.8.8.8 ? add-route Add a static route for outside local address
R1
no ip route 8.8.8.8 255.255.255.255 10.0.0.2
ip nat outside source static 192.168.2.22 8.8.8.8 add-route
R1#clear ip route *
R1#sh ip route
S 8.8.8.8 [1/0] via 192.168.2.22
:
O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:00:02, Tunnel0
R1#sh ip route 8.8.8.8 Routing entry for 8.8.8.8/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 192.168.2.22 Route metric is 0, traffic share count is 1
R1#sh ip route 192.168.2.22 Routing entry for 192.168.2.0/24 Known via "ospf 123", distance 110, metric 1001, type intra area Last update from 10.0.0.2 on Tunnel0, 00:03:07 ago Routing Descriptor Blocks: * 10.0.0.2, from 2.2.2.2, 00:03:07 ago, via Tunnel0 Route metric is 1001, traffic share count is 1
R1 checks own routing table about Destination IP address of packets, and send packets that translated Destination IP address via interface configured by 'ip nat outside' command.
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>sh users Line User Host(s) Idle Location 0 con 0 idle never * 2 vty 0 idle 00:00:00 8.8.8.8 3 vty 1 idle 00:00:09 192.168.3.33
You can see same result in this case.
