This variation of DMVPN is pretty uncommon, but still a viable option in certain deployments. The idea is that the DMVPN spoke will be deployed behind a device, router or firewall, running NAT.
IOS24
interface GigabitEthernet0/0
ip nat outside
!
interface GigabitEthernet0/2
ip nat inside
!
ip access-list extended NAT
permit ip 172.16.103.0 0.0.0.255 any
permit ip host 33.33.33.33 any
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
interface tunnel1
shut
The above configuration setups PAT or Port Address Translation, which is many to one NAT typically seen in home and small business internet connections.
IOS33
interface Tunnel1
ip address 10.1.1.33 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 10.1.1.22 122.0.0.22
ip nhrp map multicast 122.0.0.22
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
!
router eigrp 1
network 10.1.1.0 0.0.0.255
IOS33
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.22 (Tunnel1) is up: new adjacency
IOS22
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.33 (Tunnel1) is up: new adjacency
The tunnel is configured and EIGRP is configured to work over the tunnel. As you can see, there is an EIGRP adjacency formed.
IOS33#traceroute 20.20.20.20 source loopback 0 num
Type escape sequence to abort.
Tracing the route to 20.20.20.20
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.25 50 msec 23 msec 19 msec
2 20.20.20.20 43 msec 24 msec 22 msec
IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 20.20.20.20
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
src: 10.1.1.22, dst: 20.20.20.20
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 125 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 20.20.20.20
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 85 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 6
src NBMA: 25.0.0.25
src protocol: 10.1.1.25, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
src: 10.1.1.22, dst: 33.33.33.33
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 6
src NBMA: 25.0.0.25
src protocol: 10.1.1.25, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
IOS24#show ip nat translations
Pro Inside global Inside local Outside local Outside global
gre 204.0.0.24:0 172.16.103.33:0 25.0.0.25:0 25.0.0.25:0
gre 204.0.0.24:0 172.16.103.33:0 122.0.0.22:0 122.0.0.22:0
After some testing to some previously reachable connections, we see the IOS33 can reach NXOS20 without issue. IOS22 shows some NHRP messages used for Phase 3, which you'll notice the "unique nat" flag is set. The above output is the response from
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.22 39 msec 29 msec 34 msec
2 10.1.1.11 39 msec 50 msec 31 msec
3 10.11.19.19 51 msec * 58 msec
IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 3
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 19.19.19.19
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
src: 10.1.1.22, dst: 19.19.19.19
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 125 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 3
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 19.19.19.19
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 85 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 211.0.0.11
src protocol: 10.1.1.11, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 9976, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
src: 10.1.1.22, dst: 33.33.33.33
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 211.0.0.11
src protocol: 10.1.1.11, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 9976, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.11 26 msec 16 msec 22 msec
2 10.11.19.19 27 msec * 36 msec
IOS24#show ip nat translations
Pro Inside global Inside local Outside local Outside global
gre 204.0.0.24:0 172.16.103.33:0 25.0.0.25:0 25.0.0.25:0
gre 204.0.0.24:0 172.16.103.33:0 122.0.0.22:0 122.0.0.22:0
gre 204.0.0.24:0 172.16.103.33:0 211.0.0.11:0 211.0.0.11:0
We can see from the above NAT translations that the connections are being setup and working without issue.
IOS33#show ip nhrp dynamic
10.1.1.11/32 via 10.1.1.11
Tunnel1 created 00:00:57, expire 01:59:04
Type: dynamic, Flags: router nhop rib
NBMA address: 211.0.0.11
10.1.1.25/32 via 10.1.1.25
Tunnel1 created 00:26:37, expire 01:33:23
Type: dynamic, Flags: router nhop rib
NBMA address: 25.0.0.25
19.19.19.19/32 via 10.1.1.11
Tunnel1 created 00:00:57, expire 01:59:04
Type: dynamic, Flags: router used rib nho
NBMA address: 211.0.0.11
20.20.20.20/32 via 10.1.1.25
Tunnel1 created 00:26:37, expire 01:33:23
Type: dynamic, Flags: router used rib nho
NBMA address: 25.0.0.25
IOS24
interface GigabitEthernet0/0
ip nat outside
!
interface GigabitEthernet0/2
ip nat inside
!
ip access-list extended NAT
permit ip 172.16.103.0 0.0.0.255 any
permit ip host 33.33.33.33 any
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
interface tunnel1
shut
The above configuration setups PAT or Port Address Translation, which is many to one NAT typically seen in home and small business internet connections.
IOS33
interface Tunnel1
ip address 10.1.1.33 255.255.255.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map 10.1.1.22 122.0.0.22
ip nhrp map multicast 122.0.0.22
ip nhrp network-id 1
ip nhrp nhs 10.1.1.22
ip nhrp shortcut
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
!
router eigrp 1
network 10.1.1.0 0.0.0.255
IOS33
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.22 (Tunnel1) is up: new adjacency
IOS22
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.1.33 (Tunnel1) is up: new adjacency
The tunnel is configured and EIGRP is configured to work over the tunnel. As you can see, there is an EIGRP adjacency formed.
IOS33#traceroute 20.20.20.20 source loopback 0 num
Type escape sequence to abort.
Tracing the route to 20.20.20.20
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.25 50 msec 23 msec 19 msec
2 20.20.20.20 43 msec 24 msec 22 msec
IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 20.20.20.20
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
src: 10.1.1.22, dst: 20.20.20.20
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 125 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 20.20.20.20
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 85 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 6
src NBMA: 25.0.0.25
src protocol: 10.1.1.25, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
src: 10.1.1.22, dst: 33.33.33.33
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 6
src NBMA: 25.0.0.25
src protocol: 10.1.1.25, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
IOS24#show ip nat translations
Pro Inside global Inside local Outside local Outside global
gre 204.0.0.24:0 172.16.103.33:0 25.0.0.25:0 25.0.0.25:0
gre 204.0.0.24:0 172.16.103.33:0 122.0.0.22:0 122.0.0.22:0
After some testing to some previously reachable connections, we see the IOS33 can reach NXOS20 without issue. IOS22 shows some NHRP messages used for Phase 3, which you'll notice the "unique nat" flag is set. The above output is the response from
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.22 39 msec 29 msec 34 msec
2 10.1.1.11 39 msec 50 msec 31 msec
3 10.11.19.19 51 msec * 58 msec
IOS22
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 3
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 19.19.19.19
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 125
src: 10.1.1.22, dst: 19.19.19.19
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 125 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 3
src NBMA: 172.16.103.33
src protocol: 10.1.1.33, dst protocol: 19.19.19.19
(C-1) code: no error(0)
prefix: 32, mtu: 17916, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Receive Resolution Request via Tunnel1 vrf global(0x0), packet size: 85
(F) afn: AF_IP(1), type: IP(800), hop: 255, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 85 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 211.0.0.11
src protocol: 10.1.1.11, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 9976, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
NHRP: Forwarding Resolution Request via Tunnel1 vrf global(0x0), packet size: 105
src: 10.1.1.22, dst: 33.33.33.33
(F) afn: AF_IP(1), type: IP(800), hop: 254, ver: 1
shtl: 4(NSAP), sstl: 0(NSAP)
pktsz: 105 extoff: 52
(M) flags: "router auth src-stable nat ", reqid: 2
src NBMA: 211.0.0.11
src protocol: 10.1.1.11, dst protocol: 33.33.33.33
(C-1) code: no error(0)
prefix: 32, mtu: 9976, hd_time: 7200
addr_len: 0(NSAP), subaddr_len: 0(NSAP), proto_len: 0, pref: 255
IOS33#traceroute 19.19.19.19 source loopback 0 numeric
Type escape sequence to abort.
Tracing the route to 19.19.19.19
VRF info: (vrf in name/id, vrf out name/id)
1 10.1.1.11 26 msec 16 msec 22 msec
2 10.11.19.19 27 msec * 36 msec
IOS24#show ip nat translations
Pro Inside global Inside local Outside local Outside global
gre 204.0.0.24:0 172.16.103.33:0 25.0.0.25:0 25.0.0.25:0
gre 204.0.0.24:0 172.16.103.33:0 122.0.0.22:0 122.0.0.22:0
gre 204.0.0.24:0 172.16.103.33:0 211.0.0.11:0 211.0.0.11:0
We can see from the above NAT translations that the connections are being setup and working without issue.
IOS33#show ip nhrp dynamic
10.1.1.11/32 via 10.1.1.11
Tunnel1 created 00:00:57, expire 01:59:04
Type: dynamic, Flags: router nhop rib
NBMA address: 211.0.0.11
10.1.1.25/32 via 10.1.1.25
Tunnel1 created 00:26:37, expire 01:33:23
Type: dynamic, Flags: router nhop rib
NBMA address: 25.0.0.25
19.19.19.19/32 via 10.1.1.11
Tunnel1 created 00:00:57, expire 01:59:04
Type: dynamic, Flags: router used rib nho
NBMA address: 211.0.0.11
20.20.20.20/32 via 10.1.1.25
Tunnel1 created 00:26:37, expire 01:33:23
Type: dynamic, Flags: router used rib nho
NBMA address: 25.0.0.25
