?
Solved

DMVPN multiple spokes behind a single NAT global IP

Posted on 2009-02-15
40
Medium Priority
?
3,276 Views
Last Modified: 2012-05-06
I am looking to design a DMVPN where multiple spokes are behind a single global NAT IP.   I do not require spoke-to-spoke communication.

I know that the Cisco docs say that you can have a spoke behind a NAT device, but for multiple NAT'd spokes you have to have unique global IPs.  Is there anyway around this or some alternative ways to do this? (Maybe different tunnel configurations on the hub for each spoke?)

Thanks,
0
Comment
Question by:chikagoh
  • 21
  • 14
  • 5
40 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 23650772
Are you looking at something similar to a load balancer through a DMVPN traffic? Inbound traffic directed to individual spokes?

What is the goal of your setup? Do you want all spokes to access the outside world through the HUB's IP?
0
 

Author Comment

by:chikagoh
ID: 23650875
No load balancing.

I have a unique situations where I have an office with a single NAT router to the internet(no VPN/DMPVN on this router), and then I have several Cisco 1861 routers connected to this single NAT router.  Each of these Cisco 1861 routers need to have access to the outside world through the HUB's IP.  The DMVPN HUB is located in a different location than this office network.

It also doesn't have to be DMVPN, I guess if easy VPN would allow traffic to flow behind a NAT firewall that would work too, but I have only known DMVPN to work well behind NAT.

The HUB is not behind any NAT device
0
 
LVL 81

Expert Comment

by:arnold
ID: 23651198
Let me try and describe your setup to make sure I am on the same page with you.
Will leave the DMVPN out since it is an extraneous and a distraction.
Do you have a point to point/frame type of connection from each cisco 1861 to the location where the NAT router is?
And each 1861 has its own internet connection?
The global route with the exclusion of the DMVPN peer should be routed through the interface that connects to the NAT router.

I.e instead of route 0.0.0.0 0.0.0.0 ExternalInterface, you would route it through the interface that gets to the NAT Router as the next hop.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:chikagoh
ID: 23651826

Here is the layout.  There are no ptp/frame connections.

           

                                                    (INTERNET)
                                                             |
                                                             |(DSL, Cable, Doesnt matter)
                                                             |
                                                    (NAT ROUTER, non Cisco)
                                                      /           |                    \
                                                    /             |                      \ (Ethernet from 1861 WAN to NAT Router LAN
                                                  /               |                        \
                                      (1861 1)          (1861 2)               (1861 3)
0
 

Author Comment

by:chikagoh
ID: 23651835
Also I should mention that the NAT Router provides a SINGLE GLOBAL Public IP (thus the problem with using DMVPN)
0
 
LVL 81

Expert Comment

by:arnold
ID: 23652006
Lets try it again, currently, router1, router2, router3 can only access the internet through the NAT router which is what you want.
The problem is you have locations4,5,6 that you also want to go through the NAT router and the manner by which you were thinking was using DMVPN from the 1,2,3 routers?

Your issue is that there can only be one DMVPN connection out of the NAT Router which is all you need.  You can setup VPNs/Serial connections between the cisco's and have only one of them establish the DMVPN session to the outside.
I.e. router1, router2, router3 each have a DMVPN session capability to the DMVPN HUB.  At anyone time, only one DMVPN tunnel will be established.

Any reason why replacing the NAT router with one of the 1861's and then using VLANs not an option (1861 might not be as powerful as you need, but might be on the path)?
Solving two issues with one shot.

YOu could have:
                                                    (INTERNET)
                                                             |
                                                             |(DSL, Cable, Doesnt matter)
                                                             |
                                                             (1861 cisco)
                                                      /           |                    \
                                                    /             |                      \  1861 LAN ports
                                                  /               |                        \
                                      (VLAN1)          (VLAN2)               (VLAN3)

 

0
 

Author Comment

by:chikagoh
ID: 23652132
The physical topology cannot change.  All the 1861's will connect to the NAT router.  All the 1861s must VPN somehow to a remote VPN Hub Router (I can use any Cisco router or an ASA).

I am aware I can run a DMPVN tunnel within a DMVPN tunnel(seems to be your suggestion), however the NAT Router does not have any VPN capabilities and never will.

If I can setup a VPN between the 1861s on the Lan and then use one of the 1861's to create the main VPN to my HUB, that is a solution I think, however I have no idea how to do so.
0
 

Author Comment

by:chikagoh
ID: 23652154
Also keep in mind the WAN IPs on the 1861's will be dynamic and will change frequently, so I am not sure if VPNs between the 1861's on the LAN will work.
0
 

Author Comment

by:chikagoh
ID: 23652169
Can a easyvpn hub terminate multiple easyvpn clients coming from a single global ip?
0
 
LVL 81

Expert Comment

by:arnold
ID: 23652479
Why would there be a need for the WAN IP on the 1861s to change?
What is gained by using DHCP on WAN post of the 1861 that will be lost, if it were to use a Static IP.

If you configure DMVPN on each 1861 to the remote, only one of them will be up at any one time or will each attempt to establish one DMVPN will knock off the existing DMVPN, which is not a solution.

The problem is that by setting up a VPN connection between the 1861s you likely eliminate the reason they were setup this way in the first place. i.e. no inter-segment access.

I think I understand your need, which is to have access from the outside to each LAN of the Cisco1861s which are behind the NAT router.

The end point of the DMVPN that goes through a DMVPN, has to use the internal IP of the DMVPN router and not the external public IP.

See if the following gives you some additional ideas:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
http://cciethebeginning.wordpress.com/2008/06/03/building-dmvpn-with-mgre-nhrp-and-ipsec-vpn/







0
 

Author Comment

by:chikagoh
ID: 23652511
If you must know the need, I have mobile racks that will be moving every couple of days to different networks, so the 1861's will have a wired WAN to a different NAT router.  Each mobile rack, while at the same building, will not be able to be wired to eachother which is why each 1861 will have it's own connection to the NAT router.
0
 
LVL 81

Expert Comment

by:arnold
ID: 23652563
You have to have to have a single 1861 sitting somewhere whose IP does not change.  This Cisco 1861s will be the DMVPN hub for the mobile rack cisco 1861s and will be the one establishing a DMVPN to the outside HUB.
The DMVPN via DMVPN from the mobile 1861s.
you'll end up with:
                                                    (INTERNET)
                                                             |
                                                             |(DSL, Cable, Doesnt matter)
                                                             |
                                               (NAT ROUTER, non Cisco)
                                                 /           |                    \           \
                                                /             |                      \          \
(Ethernet from 1861 WAN to NAT Router LAN
                                              /               |                        \             \
                                    (1861 1)          (1861 2)               (1861 3)  (1861 4 with Fixed WAN IP)



0
 

Author Comment

by:chikagoh
ID: 23652679
If I had an office with 20 workstationseith a cisco VPN client connecting to a remote hub, all coming from a single global ip, how would that work and not a router trying to do the same thing?

0
 
LVL 81

Expert Comment

by:arnold
ID: 23652746
The problem is that the VPN connections need to be initiated from the cisco's to a central point.
You could try setting up the 1861s to establish a PPTP client connection to a known XP workstation's IP. You would then need to configure the CISCO VPN client to establish a connection upon boot and allow all users access to the VPN tunnel connection.

0
 

Author Comment

by:chikagoh
ID: 23653710
I think we are talking past eachother a bit.  My question about the cisco vpn was really meant to be:

"If you can connect multiple vpn ipsec clients on a single network behind a single IP to a single hub, why cant you do it with a cisco router"

Lets say my company was staying at a hotel, where the hotel provided Internet via a single global nat ip.  And all the employees were staying in different rooms trying to connect to the company vpn(in another state) via the cisco vpn client.

Now lets say instead of using a vpn client from each room, each employee had a cisco router that was trying to connect to the company vpn(in another state) via a cisco router vpn technology.

0
 

Author Comment

by:chikagoh
ID: 23653904
Going back to your prior post:
You have to have to have a single 1861 sitting somewhere whose IP does not change.  This Cisco 1861s will be the DMVPN hub for the mobile rack cisco 1861s and will be the one establishing a DMVPN to the outside HUB.
The DMVPN via DMVPN from the mobile 1861s.
you'll end up with:
                                                    (INTERNET)
                                                             |
                                                             |(DSL, Cable, Doesnt matter)
                                                             |
                                               (NAT ROUTER, non Cisco)
                                                 /           |                    \           \
                                                /             |                      \          \
(Ethernet from 1861 WAN to NAT Router LAN
                                              /               |                        \             \
                                    (1861 1)          (1861 2)               (1861 3)  (1861 4 with Fixed WAN IP)



Can a router be a DMVPN HUB for the other local routers and also be a DMVPN spoke to another remote DMVPN hub at the same time?
0
 
LVL 81

Expert Comment

by:arnold
ID: 23654029
Have you tried configuring your CISCO's with a remote client type of VPN to your remote HUB point?  But I think you need access from the remote HUB point into the LAN behind the cisco. rather than allow a LAN from the LAN on the ciscos access to the remote HUB point.
The distinction is the type of VPN connection connection that is being established.

It might be an option to setup a remote client VPN from the cisco to the HUB and then use DMVPN policy to go through the remote client configured VPn tunnel.
 
The second link I posted:
http://cciethebeginning.wordpress.com/2008/06/03/building-dmvpn-with-mgre-nhrp-and-ipsec-vpn/
Seems to be what you want.

0
 

Author Comment

by:chikagoh
ID: 23654100
Thanks I will take a look in more depth at that link.

Could I just deploy an individual remote HUB for each of the 1861s sitting behind the single global IP NAT device?  The spokes don't need to talk to eachother.

So:
1861-1 to Hub 1
1861-2 to Hub 2
1861-3 to Hub 3
and so on.

Will traditional upstream NAT routers with a single global IP be able to handle translating each individual DMVPN tunnel?
0
 
LVL 81

Expert Comment

by:arnold
ID: 23654324
Any reason you think a location can not have a spoke connection to a DMVPN HUB while at the same time being a HUB for other Spokes?
How can one build a mesh topology using DMVPN? Is it not the case that in a MESH topology a location is both a spoke to a larger HUB while being a hub to a few isolated spokes.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd801af458.html

Step 1 and step 15.  I.e. if in step one you configure the router as a HUB, In step 15, you can add another policy which will be a spoke. or vice versa.

Not really sure what you mean by your last post dealing with each router establishing a connection to a different HUB.

In a mesh, the same spoke often establishes a connection to multiple HUBs.


The route advertising will first have to guide the traffic to the appropriate HUB which will then be sent through the Tunnel to the correct 1861 that is connected to the HUB.
Its not that a route will be advertised from HUB 1,2,3 that will refer to the NAT router's IP for the 1861-1,2,3 information.
The advertised routes will have HUB 1,2,3 as the next destination for these routes. I.e. whoever HUB1 peers will have a route for 1861-1 LAN with HUB1 as the next HOP and not the 1861-1's IP.
I think this is where the conflict seems to be.  Each peer provides information on which networks are available through it.

The only thing you have to worry about is that 1861-1,2,3 do not use the same LAN IPs or you would need to use IP translation.  
0
 

Author Comment

by:chikagoh
ID: 23654423
The thing is, I dont need any type of mesh.  I have 6 routers all completely independant of eachother.  The *only* reasons DMVPN seems like a good VPN solution is because:

1) Each of these routers are behind a NAT device.
2) The WAN IPs of the routers will change every day or two, AND the global public IP will also change.

Clearly a site-to-site VPN won't work behind a NAT device.

So considering both the NAT issue and the constantly changing WAN and upstream global IP, DMVPN seemed like the only solution.  I am open to any VPN technology that will let me turn on all the routers, plug them into the facility-provided ethernet, get an IP address and create a VPN tunnel to my datacenter.  

Since a DMVPN HUB router can't open conncurent tunnels to multiple spokes behind a single NAT'd global IP, I need to find a something that will.If this means I need a DMVPN router for each remote 1861 DMVPN spoke, that is fine as long as it will work.  
0
 
LVL 81

Expert Comment

by:arnold
ID: 23656200
At this point, you have to try to set one up and see if it works.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 23661325

I do not understand why there are multiple spokes behind a device doing NAT in the first place. Does this box also implement a security policy? You show a NAT router, is it a router or a firewall. I guess my point is that once inside with an encrypted tunnel terminating on one of the spokes you are on a trusted network. Use the one spoke and just route traffic to the other endpoint, you are inside at this point there is no need to have another spoke.

harbor235 ;}
0
 

Author Comment

by:chikagoh
ID: 23661544
I have moble rackmount equipment that shows up at a different facility every few days.  Lets just say we have 6 racks (each with a 1861 router) that shows up at one hotel on Monday.  Each rack is in a different room.  Each rack gets a ethernet drop from the hotel.  Every hotel we show up at, the WAN address for each 1861 is different.

9.9 out of 10 hotels have a NAT router we connect each 1861 to, where their NAT router uses a single global IP.  We don't have the ability to reprogram each router every couple of days, so we are looking for something plug n' play.  If that is DMVPN or something else

Please don't recommend that we get the hotels to give us interconnected ethernet between each rack, because that's not going to happen.  This is just how things are.



0
 
LVL 32

Expert Comment

by:harbor235
ID: 23662179

Reprogramming 6 routers can be done very easily and quickly via perl or shell scripting, I assume there is other gear in these racks that can be used for adminstrative purposes. Input the new parameters and push the configs, this could be done in minutes.

Without the scripts, if you used just one of the routers as the dmvpn spoke and inside on thh trusted network were the other 5 routers, would that be an issue? the inside 5 routers could be on one vlan and of course the spoke router would need an outside vlan and an interface in the inside vlan that is the same as the other 5 routers.

You do not have to program in the WAN interface IP with DMVPN, you can use the external interface descriptor, i.e "tunnel source s0/0.6"

harbor235 ;}
0
 

Author Comment

by:chikagoh
ID: 23664028
This sounds like a workable solution.  The routers that will use the main 'spoke' router will require some type of static route to point to the spoke router?  Or would the routers vpn into the spoke router?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 23664915

The inside is trusted and would not need a vpn, you could use a routing protocol to distribute the routes. Also, for an extra level of security you could run CBAC on the spoke router to enforce a security policy.


harbor235 ;}
0
 

Author Comment

by:chikagoh
ID: 23665301
So my 1861-1 Router will be the spoke to my remote Hub.  The WAN on the 1861-1 router is on the LAN side of the hotel network.

1861-2 through 1861-6's WAN is also on the LAN side of the hotel network.  Do I just create an ip route on the 1861-2 through 1861-6 routers pointing to the 1861-1 DMVPN spoke router?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 23665356

yes,


well, the 1861-[2-6] WAN interfaces are on a LAN, however, they are in a different VLAN than 1861-1s WAN interface. The 1861-[2-6] WAN interfaces are on the same VLAN as the inside interface of the 1861-1 router


                            HOTEL_VLAN1
                                         |
                                        R1
                                         |      (hotel VLAN 2)
               ----------------------------------------------
              |             |            |              |                  |
            R2         R3        R4         R5              R6

harbor235 ;}

0
 

Author Comment

by:chikagoh
ID: 23665385
And how is that supposed to happen without getting the Hotel to create a vlan for us(which will NEVER happen).
0
 
LVL 32

Expert Comment

by:harbor235
ID: 23665460


Good luck to you,

harbor235 ;}
0
 
LVL 81

Expert Comment

by:arnold
ID: 23666448
The problem is that so far I do not understand what your need is. Do you need to have access to the internal LAN behind each 1861 or do you need the LAN behind each 1861 to have access to a central location?
You might be able to setup a remote VPN from each 1861 to a central location.  This will be equivalent to multiple people from the same firm establishing a VPN using a vpn client to connect to the main office.
With this setup, from the remote you should be able to access each of the 1861s through the VPN.
Once you have a remote VPN from each, you would tunnel through the tunnel.
0
 

Author Comment

by:chikagoh
ID: 23672865
Would I use easy vpn client/server for this?  I'm guessing site-to-site won't work because of the changing client WAN IPs  with NAT'd IPs
0
 
LVL 81

Accepted Solution

by:
arnold earned 1500 total points
ID: 23673046
Yes, you can use the easVpn to setup a remote VPN connection from the 1861s.
Just make sure that you are not limiting the VPN on the server (HUB) to one per location.
The WAN IP will be what will distinguish each client from the next.
Once you have each router connected to your HUB, you could try the DMVPN within a tunnel setup.
Do you need to tie the mobile racks together to provide whatever application/services they do and would prefer that they do this automatically without intervention?
0
 

Author Comment

by:chikagoh
ID: 23673149
Once the easyvpn connection is established, would this be sufficient, or do I still need to create a DMVPN tunnel within the easyvpn connection?

Each mobile rack has IP Phones, and they don't specifically need to communicate, but would be nice if they do. (One step at a time).
0
 
LVL 81

Expert Comment

by:arnold
ID: 23673355
Sufficient for what?  Do you need those phones to "call home"?

So we now have a mobile rack of IP phones.  Does each phone need to "login" into a remote HUB for their functionality and you want to have the VOIP  traffic to go over a VPN tunnel rather than through the net?
Is this a SIP type of phone. Do you also have an asterisk/openpbx server on each mobile rack?
0
 

Author Comment

by:chikagoh
ID: 23673457
These are Polycom SIP phones registering to a hosted PBX provider.  So the voip traffic will go over the VPN to our HUB to a gateway on our network, and then across the Internet to our Hosted PBX provider and Level3 media gateways.
0
 
LVL 81

Expert Comment

by:arnold
ID: 23673748
In this setup, I do not think there is any way that the SIP phones can talk directly to each other so a DMVPN setup is not needed.
Setup two 1861s and see if they work.

0
 

Author Comment

by:chikagoh
ID: 23676582
Using an ASA, I was able to get two routers to establish ezvpn tunnels.  Having an issue getting traffic to hit the ASA and go out to the public Internet though.

I am routing public IPs to the ASA, and using the public IPs for the vpn pool.  Not sure how to get the ASA to let inbound/outbound traffic for these public IPs.  Technically I don't have any 'inside' network on the ASA, just an Outside and then the tunnels.
0
 
LVL 81

Expert Comment

by:arnold
ID: 23677284
you need to add the option:
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
These will permit traffic coming from the outside to go back through the same interface. Or traffic coming in through a VPN to leave through the outside interface.

0
 

Author Closing Comment

by:chikagoh
ID: 31547156
EZVPN seems to be the best solution.  Not really able to get DMVPN to run over the EZVPN, but in the end I actually don't need it.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question