Simplified Networking
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto

Spoke Behind NAT

Picture
This variation of DMVPN is pretty uncommon, but still a viable option in certain deployments. The idea is that the DMVPN spoke will be deployed behind a device, router or firewall, running NAT.

IOS24
interface GigabitEthernet0/0
 ip nat outside
!
interface GigabitEthernet0/2
 ip nat inside
!
ip access-list extended NAT
 permit ip 172.16.103.0 0.0.0.255 any
 permit ip host 33.33.33.33 any
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
interface tunnel1
shut

The above configuration setups PAT or Port Address Translation, which is many to one NAT typically seen in home and small business internet connections.

IOS33
interface Tunnel1
 ip address 10.1.1.33 255.255.255.0
 no ip redirects
 ip nhrp authentication cisco
 ip nhrp map 10.1.1.22 122.0.0.22
 ip nhrp map multicast 122.0.0.22
 ip nhrp network-id 1
 ip nhrp nhs 10.1.1.22
 ip nhrp shortcut
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
!
router eigrp 1
 network 10.1.1.0 0.0.0.255

IOS33
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.22 (Tunnel1) is up: new adjacency

​IOS22
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.33 (Tunnel1) is up: new adjacency


The tunnel is configured and EIGRP is configured to work over the tunnel. As you can see, there is an EIGRP adjacency formed.


IOS33#traceroute 20.20.20.20 source loopback 0 num
Type escape sequence to abort.
Tracing the route to 20.20.20.20
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.25 50 msec 23 msec 19 msec
  2 20.20.20.20 43 msec 24 msec 22 msec


IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
 (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 105 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 2 
     src NBMA: 172.16.103.33
     src protocol: 10.1.1.33, dst protocol: 20.20.20.20
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
 src: 10.1.1.22, dst: 20.20.20.20
 (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 125 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 2 
     src NBMA: 172.16.103.33
     src protocol: 10.1.1.33, dst protocol: 20.20.20.20
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
 (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 85 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 6 
     src NBMA: 25.0.0.25
     src protocol: 10.1.1.25, dst protocol: 33.33.33.33
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
 src: 10.1.1.22, dst: 33.33.33.33
 (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 105 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 6 
     src NBMA: 25.0.0.25
     src protocol: 10.1.1.25, dst protocol: 33.33.33.33
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255


IOS24#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
gre 204.0.0.24:0       172.16.103.33:0    25.0.0.25:0        25.0.0.25:0
gre 204.0.0.24:0       172.16.103.33:0    122.0.0.22:0       122.0.0.22:0

After some testing to some previously reachable connections, we see the IOS33 can reach NXOS20 without issue. IOS22 shows some NHRP messages used for Phase 3, which you'll notice the "unique nat" flag is set. The above output is the response from 

IOS33#traceroute 19.19.19.19 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.22 39 msec 29 msec 34 msec
  2 10.1.1.11 39 msec 50 msec 31 msec
  3 10.11.19.19 51 msec *  58 msec

IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
 (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 105 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 3 
     src NBMA: 172.16.103.33
     src protocol: 10.1.1.33, dst protocol: 19.19.19.19
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
 src: 10.1.1.22, dst: 19.19.19.19
 (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 125 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 3 
     src NBMA: 172.16.103.33
     src protocol: 10.1.1.33, dst protocol: 19.19.19.19
 (C-1) code: no error(0)
       prefix: 32, mtu: 17916, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
 (F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 85 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 2 
     src NBMA: 211.0.0.11
     src protocol: 10.1.1.11, dst protocol: 33.33.33.33
 (C-1) code: no error(0)
       prefix: 32, mtu: 9976, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255

NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
 src: 10.1.1.22, dst: 33.33.33.33
 (F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
     shtl: 4(NSAP), sstl: 0(NSAP)
     pktsz: 105 extoff: 52
 (M) flags: "router auth src-stable nat ", reqid: 2 
     src NBMA: 211.0.0.11
     src protocol: 10.1.1.11, dst protocol: 33.33.33.33
 (C-1) code: no error(0)
       prefix: 32, mtu: 9976, hd_time: 7200
       addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255


IOS33#traceroute 19.19.19.19 source loopback 0 numeric 
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
  1 10.1.1.11 26 msec 16 msec 22 msec
  2 10.11.19.19 27 msec *  36 msec


IOS24#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
gre 204.0.0.24:0       172.16.103.33:0    25.0.0.25:0        25.0.0.25:0
gre 204.0.0.24:0       172.16.103.33:0    122.0.0.22:0       122.0.0.22:0
gre 204.0.0.24:0       172.16.103.33:0    211.0.0.11:0       211.0.0.11:0


We can see from the above NAT translations that the connections are being setup and working without issue.


IOS33#show ip nhrp dynamic 
10.1.1.11/32 via 10.1.1.11
   Tunnel1 created 00:00:57, expire 01:59:04
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 211.0.0.11 
10.1.1.25/32 via 10.1.1.25
   Tunnel1 created 00:26:37, expire 01:33:23
   Type: dynamic, Flags: router nhop rib 
   NBMA address: 25.0.0.25 
19.19.19.19/32 via 10.1.1.11
   Tunnel1 created 00:00:57, expire 01:59:04
   Type: dynamic, Flags: router used rib nho 
   NBMA address: 211.0.0.11 
20.20.20.20/32 via 10.1.1.25
   Tunnel1 created 00:26:37, expire 01:33:23
   Type: dynamic, Flags: router used rib nho 
   NBMA address: 25.0.0.25 
Powered by Create your own unique website with customizable templates.
  • Home
  • Technology VoD!
    • Cisco >
      • Route & Switch / Enterprise Infrastructure
  • Technology Breakdowns!
    • Route&Switch/Ent. Infra. >
      • L2 Technologies
      • L3 Technologies
      • VPN Technologies
      • Services >
        • IOS - Dynamic NAT
        • HSRP - IPv4 Setup
        • HSRP - Priority and Preemption
    • Service Provider >
      • IGPs (Interior Gateway Protocols)
      • First Hop Redundancy >
        • HSRP (Hot Standby Router Protocol) >
          • HSRP - IOS/IOS XE Setup
          • HSRP - IOS XR Setup
      • BGP (Border Gateway Protocol)
      • Inter AS Multicast (MSDP)
      • Intra-AS MPLS
      • Inter-AS MPLS
    • Security >
      • IOS Firewall
      • ASA Firewall
      • FirePOWER Threat Defense >
        • FTD - FTD NGFW Device Setup and FMC Integration
      • VPNs >
        • PKI
        • Site to Site VPNs
        • Remote Access VPNs >
          • IOS Remote Access
          • ASA Remote Access
    • Data Center >
      • Nexus 9000v >
        • Nexus 9000v - Enabling Features
        • Nexus 9000v - VLANs and Trunks
        • Nexus 9000v - LACP Port Channels
        • Nexus 9000v - vPC (Virtual Port Channel)
        • Nexus 9000v - OSPFv2
        • Nexus 9000v - VXLAN - Ingress Replication Flood and Learn
        • Nexus 9000v - IP Multicast
        • Nexus 9000v - VxLAN - Multicast Flood and Learn
        • Nexus 9000v - VxLAN - BGP EVPN with Multicast
        • Nexus 9000v - VxLAN - BGP EVPN w/Ingress Replication
        • Nexus 9000v - VxLAN - Inter-VxLAN Routing with BGP EVPN
        • Nexus 9000v - VXLAN - External Routing
      • Nexus 7000v
    • Palo Alto