DMVPN and NAT 4
Telnet to Head Quarter's routers and Source NAT
・Use DMVPN Phase3 with OSPF
・SITE to SITE packets are encrypted.
・Spokes can transit their traffic to other spoke directly.
・Branch routers can login for R1 by telnet 10.0.0.1 command,
and login R11 by telnet 10.0.0.1 1234 command.
・Configure R1 that Source IP address on R22 apears as 8.8.8.8, if R22 login to R11.
・Note that 8.8.8.8 NOT exist in this topology.
Initial Set Up
R1 interface Tunnel0 ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 123
ip nhrp redirect
ip ospf network point-to-multipoint
tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.1 255.255.255.0
interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0
router ospf 123 router-id 1.1.1.1 network 10.0.0.1 0.0.0.0 area 0 network 192.168.1.1 0.0.0.0 area 0
R2
interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.2 255.255.255.0
interface FastEthernet0/1 ip address 192.168.2.2 255.255.255.0
router ospf 123 router-id 2.2.2.2 network 10.0.0.2 0.0.0.0 area 0 network 192.168.2.2 0.0.0.0 area 0
R3 interface Tunnel0 ip address 10.0.0.3 255.255.255.0 no ip redirects ip nhrp map multicast 155.0.0.1 ip nhrp map 10.0.0.1 155.0.0.1 ip nhrp network-id 123 ip nhrp nhs 10.0.0.1
ip nhrp shortcut ip ospf network point-to-multipoint tunnel mode gre multipoint
tunnel source FastEthernet0/0
interface FastEthernet0/0 ip address 155.0.0.3 255.255.255.0
interface FastEthernet0/1 ip address 192.168.3.3 255.255.255.0
router ospf 123 router-id 3.3.3.3 network 10.0.0.3 0.0.0.0 area 0 network 192.168.3.3 0.0.0.0 area 0
R1/R2/R3 crypto isakmp policy 123 encr 3des hash sha256 authentication pre-share group 2 crypto isakmp key CCIE address 0.0.0.0 crypto ipsec transform-set TRANS esp-3des esp-sha256-hmac mode transport crypto ipsec profile PROFILE set transform-set TRANS interface Tunnel0 tunnel protection ipsec profile PROFILE
R11 interface FastEthernet0/0 ip address 192.168.1.11 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
R22 interface FastEthernet0/0 ip address 192.168.2.22 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.2.2
R33 interface FastEthernet0/0 ip address 192.168.3.33 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.3.3
R1 ip nat inside source static tcp 192.168.1.11 23 10.0.0.1 1234 interface FastEthernet0/1 ip nat inside
interface Tunnel0 ip nat outside
R1/R11 line vty 0 4 password CCIE login
Configure ip nat outside source static command on R1
R1
ip nat outside source static 192.168.2.22 8.8.8.8
R1 checks own routing table about Destination IP address of packets which recieved via inside interface before translation.
R1 don't have route to 8.8.8.8, so packets are discarded.
■DMVPN and NAT 3
Configure static route to 8.8.8.8, next-hop is R2's WAN interface
R1 ip route 8.8.8.8 255.255.255.255 155.0.0.2
R1#sh ip route
S 8.8.8.8 [1/0] via 155.0.0.2
:
C 155.0.0.0/24 is directly connected, FastEthernet0/0
R1#sh ip route 8.8.8.8
Routing entry for 8.8.8.8/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 155.0.0.2 Route metric is 0, traffic share count is 1
R1#sh ip route 155.0.0.2 Routing entry for 155.0.0.0/24 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via FastEthernet0/0 Route metric is 0, traffic share count is 1
Disable encryption and packet capture
R1/R2/R3 int tun0 no tunnel protection ipsec profile PROFILE
Packet capture F0/0 interface on R1 and pig to 8.8.8.8
R11#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: UUUUU Success rate is 0 percent (0/5)
The outgoing interface for 8.8.8.8 on R1 is FastEthernet 0/0.
Packets is sent with NOT translating because 'ip nat outside' command was NOT configured on that interface.
And with NOT capsuling.
R1#sh ip nat translations Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
NATtranslate table is NOT changed.
R2 send ICMP Destination unreachable to R11
because it doesn't have route to 8.8.8.8.
R2#sh ip route
O 192.168.1.0/24 [110/1001] via 10.0.0.1, 00:13:33, Tunnel0
Packets are capsuled because outgoing interface to 192.168.1.11 is Tunnel 0.
Packet capture on R11
R11 receive ICMP Destination unreachable.
R11#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 180 msec 308 msec 164 msec 2 155.0.0.2 408 msec 396 msec 304 msec 3 155.0.0.2 !H !H !H
Set ip nat outside command for F0/0 on R1
R1
int f0/0
ip nat outside
R1#sh ip nat statistics Total active translations: 2 (2 static, 0 dynamic; 1 extended) Peak translations: 2, occurred 01:14:07 ago Outside interfaces: FastEthernet0/0, Tunnel0 Inside interfaces: FastEthernet0/1
Capture F0/0 on R1 and ping, again R11#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 240/363/428 ms
ICMP Echo request from R11 was sent via F0/0 on R1, without capsuling. Packets was routed by R2 , reached to R22.
ICMP Echo reply from R22 was capsuled by R2, and reached R1.
Packet was decapsulated by R1, and reached to R11 with translating Source IP address.
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 icmp 192.168.1.11:2 192.168.1.11:2 8.8.8.8:2 192.168.2.22:2 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
R11#traceroute 8.8.8.8 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.1.1 252 msec 208 msec 176 msec 2 155.0.0.2 340 msec 412 msec 408 msec 3 8.8.8.8 564 msec 728 msec 740 msec
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 tcp 10.0.0.1:1234 192.168.1.11:23 --- --- udp 192.168.1.11:49187 192.168.1.11:49187 8.8.8.8:33437 192.168.2.22:33437 udp 192.168.1.11:49188 192.168.1.11:49188 8.8.8.8:33438 192.168.2.22:33438 udp 192.168.1.11:49189 192.168.1.11:49189 8.8.8.8:33439 192.168.2.22:33439 udp 192.168.1.11:49190 192.168.1.11:49190 8.8.8.8:33440 192.168.2.22:33440 udp 192.168.1.11:49191 192.168.1.11:49191 8.8.8.8:33441 192.168.2.22:33441
udp 192.168.1.11:49192 192.168.1.11:49192 8.8.8.8:33442 192.168.2.22:33442
Packets from R11 reached to R22 without capsuling, but they can communicate.
Enable IPsec and telnet from R22
R1/R2/R3 interface tun 0 tunnel protection ipsec profile PROFILE
R22#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>show users Line User Host(s) Idle Location 0 con 0 idle never * 2 vty 0 idle 00:00:00 8.8.8.8
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global --- --- --- 8.8.8.8 192.168.2.22 tcp 10.0.0.1:1234 192.168.1.11:23 8.8.8.8:52198 192.168.2.22:52198 tcp 10.0.0.1:1234 192.168.1.11:23 --- ---
Packet capture F0/0 on R1
Packets from R22 were encrypted by R2.
Packets from R11 were NOT encrypted.
Telnet from R33
R33#telnet 10.0.0.1 1234 Trying 10.0.0.1, 1234 ... Open
User Access Verification
Password: (Enter 'CCIE')
R11>show users Line User Host(s) Idle Location 0 con 0 idle never 2 vty 0 idle 00:00:15 8.8.8.8 * 3 vty 1 idle 00:00:00 192.168.3.33
R33 can do telnet too, but Source IP address NOT translate.
