FlexVPN Spoke-to-Spoke Routing Override Loop

I have a Spoke Router, this Router hat a Routing to inside192.168.1.0 255.255.255.0 next hop is 10.1.1.1(10.1.1.0/29 is the tranfer network):
ip route 192.168.1.0 255.255.255.0 10.1.1.1
After active the FlexVPN i get the Routing override, then the routing is 192.168.1.0 255.255.255.0 tunnel0 in the Soke-Router. I lost the right routing, and i get the loop from Center to 192.168.1.0.
How can i let the Spoke Router to ignore the Routing from himself from Center?

One was would be to increase distance of routes received from hub. 
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/m1/sec-m1-cr-book/sec-cr-r2.html#wp1846954161

Similar Messages

  • FlexVPN Spoke to Spoke issues

    Config:
    Hub:
    interface Virtual-Template1 type tunnel
    description FlexVPN hub-to-spokes
    ip unnumbered Loopback100
    ip mtu 1400
    ip nhrp network-id 1
    ip nhrp redirect
    ip tcp adjust-mss 1360
    tunnel path-mtu-discovery
    tunnel protection ipsec profile default
    Spokes:
    interface Tunnel0
    description FlexVPN tunnel
    ip address negotiated
    ip mtu 1400
    ip nhrp network-id 1
    ip nhrp shortcut virtual-template 1
    ip nhrp redirect
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source Vlan1
    tunnel destination x.x.x.x
    tunnel path-mtu-discovery
    tunnel protection ipsec profile default
    interface Virtual-Template1 type tunnel
    description FlexVPN spoke-to-spoke
    ip unnumbered Loopback101
    ip nhrp network-id 1
    ip nhrp shortcut virtual-template 1
    ip nhrp redirect
    tunnel protection ipsec profile default
    Hub-Spoke works perfectly. 
    When pinging from a spoke to another spoke's LAN IP, the router misses one ping, returns 1 or two, then missing all other pings until the next reload (clear crypto session does not reset fully).  The spoke used to ping will bring up a Virtual Access interface, and then immediately bing up a second Virtual Access interface, then show an invalid SPI is shown (authentication is identical).
    Unfortunately, the issue is not always consistent.  Sometimes, after a reload on all routers, one router will retain the ability to ping, other times no routers can ping.  Here is an example:
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.0.3.1, timeout is 2 seconds:
    Dec 21 19:38:20.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x,
    prot=50, spi=0xE4981ED6(3835174614), srcaddr=x.x.x.x, input interface=Dialer0...
    Success rate is 40 percent (2/5), round-trip min/avg/max = 96/100/104 ms
    Thanks for any help

    John,
    The error means that no matching SPI was found for inbound encrypted traffic on that ingress interface.
    Is that your interface towards ISP? If so and the SPI actually exists in your SADB but somehow is not associated properly.
    When/if opening a case please attach:
    - show crypto ipsec sa
    - show crypto map
    (taken ideally before and after trying to do spoke-to-spoke tunnel)
    I found reference to a similar problem in our archive, but customer become unresponsive after a while and no resolution was provided.
    One thing you CAN try is to go to 15.2.4M-latest. And see if the problem persists.
    M.

  • Is it possible to have 2 DMVPN tunnels on a spoke router having 2 ISPs to the same hub?

    I have a router R1 acting as a hub for DMVPN. I have a spoke router R2 which has 2 ISPs. Can I establish a DMVPN tunnel via each ISPs to R1 from R2?

    the other posters are correct all you need is osx lion. i have tried it out and it works.
    the bottom line and most important thing to remember about multiple users using the same mac is:
    each user needs their seperate account. for example, if bob is on the screen, and tim logs on using vnc
    then tim gets his own desktop and kbd and mouse. but if bob is on the screen and bob logs on using vnc
    then they share the same desktop
    so if u want say 2 or 5 users or whatever the limit is, and i don't know. you are going to need 2 or 5 or whatever
    seperate users
    on the host mac you go into system preferences, sharing, screen sharing, and turn it on
    and on the remote mac you run finder, click on connect to server and type vnc:// and the address to the computer
    like vnc://192.168.1.4 and it should work great over the local network
    theres no other hardware or software you need, you just need to be running osx lion
    there is also vnc clients available you can download that might be better then the vnc client in finder

  • DM-VPN with Static NAT for Spoke Router. Require Expert Help

    Dear All,
                This is my first time to write something .
                             i have configure DM-VPN, and it's working fine, now i want to configure static nat.
    some people will think why need static nat if it's working fine.
    let me tell you why i need. what is my plan.
    i have HUB with 3 spoke. some time i go out side of my office and not able to access my spoke computer by Terminal Services. because its by dynamic ip address.  so what i think i'll give one Static NAT on my HUB Router that if any one or Me Hit the Real/Public IP address of my HUB WAN Interface from any other Remote location so redirect this quiry to my Terminal Service computer which located in spoke network.
    will for that i try but fail. 
    will again the suggestion will come. why not to use .. Easy VPN. well sound great. but then i have to keep my notebook with me.
    i'll also do it but now i need that how to do Static NAT. like for normal Router i am doing which is not part of VPN.
    ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389
    but this time  this command is not working, because the ip address which i mention it's related HUB Network not Spoke
    spose spoke Network: 192.168.2.0/24
    and i want on HUB Router:
    ip nat inside source static tcp 192.168.2.10 3389 interface Dialer1 3389
    i am using Cisco -- 887 and 877 ADSL Router.
    but it's not working,   Need experts help. please write your comment's which are very important for me. waiting for your commant's
    fore more details please see the diagram.
    for Contact Me: [email protected]

    hi rvarelac  thank you for reply :
    i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
    crypto isakmp key 12344321 address 1.1.1.1
    crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac
     mode tunnel
    crypto map s2s 100 ipsec-isakmp
     set peer 1.1.1.1
     set transform-set Remote-Site
     match address vpnacl
    interface GigabitEthernet0/0
     crypto map s2s
    Extended IP access list lantointernet
    30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255
    80 permit ip any any

  • L2L traffic multiple spokes routing

    I have an issue that I'm hoping you can shed some light on this. I have 3 sites all connected with VPN/IPsec ikev2 tunnels using ASA 5505 and 5510 with 8.4+ code. Please see the image below for more details on my setup. All VPN tunnels are up and sending traffic across from the immediate neighbor, the issue is that I cannot ping or access ASA3's subnet from ASA2's or ASA2's subnet from ASA3's, what am I missing from my configuration? Please see below, and thank you in advance for any assistance you can provide with this.
    ASA 3 VPN Config: protocol esp integrity sha-1crypto ipsec security-association pmtu-aging infinitecrypto map crypto_map 1 match address AS3_ACLcrypto map crypto_map 1 set peer 1.1.1.1crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256crypto map crypto_map interface outsidecrypto ca trustpool policycrypto ikev2 policy 1 encryption aes-256 integrity sha256 group 2 prf sha256 lifetime seconds 86400tunnel-group 1.1.1.1 type ipsec-l2ltunnel-group 1.1.1.1 general-attributes default-group-policy ipsec_group_policytunnel-group 1.1.1.1 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** vpn-idle-timeout 6000 vpn-session-timeout none vpn-tunnel-protocol ikev2nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookupobject-group network all_inside_networks network-object 10.0.1.0 255.255.255.0object-group network all_outside_networks network-object 10.0.0.0 255.255.255.0 network-object 10.0.18.0 255.255.255.0access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group all_outside_networks

    ASA1 VPN configcrypto map crypto_map 1 match address ASA3_ACLcrypto map crypto_map 1 set peer 3.3.3.3crypto map crypto_map 1 set ikev2 ipsec-proposal aes_256crypto map crypto_map 2 match address ASA2_ACLcrypto map crypto_map 2 set peer 2.2.2.2crypto map crypto_map 2 set ikev2 ipsec-proposal aes_256crypto map crypto_map interface outsidetunnel-group 3.3.3.3 type ipsec-l2ltunnel-group 3.3.3.3 general-attributes default-group-policy ipsec_group_policytunnel-group 3.3.3.3 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributes default-group-policy ipsec_group_policytunnel-group 2.2.2.2 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****access-list ASA3_ACL extended permit ip object-group all_inside_networks object-group ASA3access-list ASA2_ACL extended permit ip object-group all_inside_networks object-group ASA2nat (inside,outside) source static all_inside_networks all_inside_networks destination static all_outside_networks all_outside_networks no-proxy-arp route-lookupobject-group network all_outside_networks network-object 10.0.1.0 255.255.255.0 network-object 10.0.18.0 255.255.255.0object-group network ASA2 network-object 10.0.18.0 255.255.255.0object-group network ASA3 network-object 10.0.1.0 255.255.255.0object-group network all_inside_networks network-object 10.0.0.0 255.255.255.0tunnel-group 3.3.3.3 type ipsec-l2ltunnel-group 3.3.3.3 general-attributes default-group-policy ipsec_group_policytunnel-group 3.3.3.3 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 general-attributes default-group-policy ipsec_group_policytunnel-group 2.2.2.2 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****group-policy ipsec_group_policy internalgroup-policy ipsec_group_policy attributes vpn-idle-timeout 6000 vpn-session-timeout none vpn-tunnel-protocol ikev2

  • FlexVPN Cannot Ping From Spoke LAN only

    Topology:
    Hub:
    (hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP
    Spoke:
    (hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP
    I have full reachability from both routers. 
    Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0
    Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1
    Partial reachability from lan hosts
    Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)
    Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24
    Any help would be appreciated

    We've been working with these confs for a while, so they aren't as clean as they could be, but here they are
    ---HUB---
    version 15.2
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname HUB
    boot-start-marker
    boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin
    boot-end-marker
    security authentication failure rate 3 log
    security passwords min-length 6
    enable secret xxxxx
    aaa new-model
    aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP
    server-private 10.0.1.15 key xxxxx
    aaa authentication login default local
    aaa authentication login xxxxxVPN_VPN_XAUTH local
    aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP
    aaa authorization exec default local
    aaa authorization network default local
    aaa authorization network xxxxxVPN_VPN_GROUP local
    aaa authorization network FLEXVPN_AUTH-Z_LIST local
    aaa session-id common
    clock timezone CST -6 0
    clock summer-time CDT recurring
    clock calendar-valid
    no ip source-route
    no ip gratuitous-arps
    ip cef
    no ip bootp server
    ip domain name xxxxx.net
    ip name-server 166.102.165.13
    ip name-server 166.102.165.11
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip name-server 4.2.2.1
    no ipv6 cef
    multilink bundle-name authenticated
    vpdn enable
    vpdn-group VPN_GROUP
    key chain EIGRP_KEY_CHAIN
    key 1
      key-string xxxxx
    crypto pki trustpoint FLEXVPN_RA_TP
    enrollment terminal
    serial-number none
    fqdn vpn.xxxxx.net
    ip-address none
    subject-name cn=vpn.xxxxx.net
    revocation-check crl
    eckeypair FLEXVPN_RA_TP-Key
    crypto pki certificate chain FLEXVPN_RA_TP
    certificate 460000.. nvram:xxxxx#2.cer
    certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer
    license udi pid CISCO1921/K9 sn xxxxx
    archive
    path ftp://xxxxx
    write-memory
    username xxxxx privilege 15 password xxxxx
    redundancy
    crypto ikev2 authorization policy default
    pool FLEX_SPOKES_POOL
    route set interface
    crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY
    pool FLEXVPN_RA_POOL
    dns 10.0.1.15
    netmask 255.255.255.0
    def-domain xxxxx.net
    route set access-list FLEXVPN_RA_ACL
    crypto ikev2 proposal SHA1-only
    encryption aes-cbc-256
    integrity sha1
    group 5
    crypto ikev2 policy SHA1-only
    match fvrf any
    proposal SHA1-only
    crypto ikev2 keyring FLEX_KEY
    peer ALL
      address 0.0.0.0 0.0.0.0
      pre-shared-key local xxxxx
      pre-shared-key remote xxxxx
    crypto ikev2 profile FLEX_IKEv2
    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local FLEX_KEY
    aaa authorization group psk list default default
    virtual-template 1
    crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE
    match identity remote key-id xxxxx.net
    identity local dn
    authentication remote eap query-identity
    authentication local rsa-sig
    pki trustpoint FLEXVPN_RA_TP
    dpd 60 2 on-demand
    aaa authentication eap FLEXVPN_AUTH-C_LIST
    aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY
    virtual-template 10
    crypto ikev2 dpd 30 5 on-demand
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    crypto logging session
    crypto isakmp client configuration group xxxxxVPN
    key xxxxx
    pool xxxxxVPN_POOL
    acl xxxxxVPN_ACL
    netmask 255.255.255.0
    crypto isakmp profile xxxxxVPN_IKE_PROFILE
       match identity group xxxxxVPN
       client authentication list xxxxxVPN_VPN_XAUTH
       isakmp authorization list xxxxxVPN_VPN_GROUP
       client configuration address respond
       virtual-template 100
    crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set IKEv2 esp-gcm
    mode transport
    crypto ipsec profile xxxxxVPN_IPSEC_PROFILE
    set transform-set xxxxxVPN_SET
    set isakmp-profile xxxxxVPN_IKE_PROFILE
    crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE
    set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE
    crypto ipsec profile default
    set transform-set IKEv2
    set ikev2-profile FLEX_IKEv2
    interface Loopback100
    ip address 172.31.100.1 255.255.255.255
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address 10.0.1.1 255.255.255.0
    no ip unreachables
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    no ip address
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface Virtual-Template1 type tunnel
    description FlexVPN hub-to-spokes
    ip unnumbered Loopback100
    ip mtu 1400
    ip nhrp network-id 1
    ip nhrp redirect
    ip tcp adjust-mss 1360
    tunnel path-mtu-discovery
    tunnel protection ipsec profile default
    interface Virtual-Template10 type tunnel
    ip unnumbered GigabitEthernet0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE
    interface Dialer0
    mtu 1492
    ip address negotiated
    no ip unreachables
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    ip tcp adjust-mss 1450
    dialer pool 1
    dialer idle-timeout 0
    dialer persistent
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname [email protected]
    ppp chap password xxxxx
    ppp pap sent-username [email protected] password xxxxx
    no cdp enable
    router eigrp 1
    distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1
    network 10.0.1.0 0.0.0.255
    network 172.30.200.0 0.0.0.255
    network 172.31.100.1 0.0.0.0
    passive-interface GigabitEthernet0/0
    ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254
    ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254
    ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 172.30.200.0 255.255.255.0 Null0
    ip access-list standard FLEXVPN_RA_ACL
    permit 10.0.1.0 0.0.0.255
    permit 10.0.2.0 0.0.0.255
    permit 10.0.3.0 0.0.0.255
    permit 10.0.4.0 0.0.0.255
    ip access-list standard MGMT_ACL
    permit 172.30.200.0 0.0.0.255
    permit 172.31.254.0 0.0.0.255
    permit 10.0.1.0 0.0.0.255
    ip access-list extended xxxxxVPN_ACL
    permit ip 172.30.255.0 0.0.0.255 any
    permit ip 10.0.1.0 0.0.0.255 any
    permit ip 172.31.254.0 0.0.0.255 any
    ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24
    ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24
    ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32
    access-list 1 permit 10.0.1.0 0.0.0.255
    route-map EIGRP_SUMMARY_RMAP permit 10
    match ip address prefix-list EIGRP_SUMMARY_PFLIST
    control-plane
    banner motd  Cxxxxx
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class MGMT_ACL in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    transport input all
    scheduler allocate 20000 1000
    ntp update-calendar
    ntp server 1.pool.ntp.org
    ntp server 0.pool.ntp.org prefer
    end
    ---SPOKE---
    version 15.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname SPOKE
    boot-start-marker
    boot system flash:c880data-universalk9-mz.152-4.M5.bin
    boot-end-marker
    security authentication failure rate 3 log
    security passwords min-length 6
    enable secret xxxxx
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization network default local
    aaa session-id common
    memory-size iomem 10
    clock timezone CST -6 0
    clock summer-time CDT recurring
    clock calendar-valid
    no ip source-route
    no ip gratuitous-arps
    no ip bootp server
    ip domain name xxxxx.net
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip name-server 4.2.2.1
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    key chain EIGRP_KEY_CHAIN
    key 1
      key-string xxxxx
    license udi pid CISCO881-SEC-K9 sn FTX1740854N
    archive
    path ftp://xxxxx
    write-memory
    username xxxxx privilege 15 password xxxxx
    crypto ikev2 authorization policy default
    route set interface
    crypto ikev2 keyring FLEX_KEY
    peer ALL
      address 0.0.0.0 0.0.0.0
      pre-shared-key local xxxxx
      pre-shared-key remote xxxxx
    crypto ikev2 profile FLEX_IKEv2
    match identity remote address 0.0.0.0
    authentication remote pre-share
    authentication local pre-share
    keyring local FLEX_KEY
    aaa authorization group psk list default default
    virtual-template 1
    crypto ikev2 dpd 30 5 on-demand
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    crypto ipsec transform-set IKEv2 esp-gcm
    mode transport
    crypto ipsec profile default
    set transform-set IKEv2
    set ikev2-profile FLEX_IKEv2
    interface Loopback101
    ip address 172.31.101.3 255.255.255.255
    interface Tunnel0
    description FlexVPN tunnel
    ip address negotiated
    ip mtu 1400
    ip nhrp network-id 1
    ip nhrp shortcut virtual-template 1
    ip nhrp redirect
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source Vlan1
    tunnel destination x.x.x.x
    tunnel path-mtu-discovery
    tunnel protection ipsec profile default
    interface FastEthernet0
    no ip address
    interface FastEthernet1
    no ip address
    interface FastEthernet2
    no ip address
    interface FastEthernet3
    no ip address
    interface FastEthernet4
    ip address dhcp
    no ip unreachables
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface Virtual-Template1 type tunnel
    description FlexVPN spoke-to-spoke
    ip unnumbered Loopback101
    ip nhrp network-id 1
    ip nhrp shortcut virtual-template 1
    ip nhrp redirect
    tunnel protection ipsec profile default
    interface Vlan1
    ip address 10.0.3.1 255.255.255.0
    ip helper-address 10.0.1.15
    no ip unreachables
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    ip access-list standard INTERNET_BOUND_ACL
    permit 10.0.3.0 0.0.0.255
    ip access-list standard MGMT_ACL
    permit 172.30.255.0 0.0.0.255
    permit 172.31.100.0 0.0.0.255
    permit 10.0.1.0 0.0.0.255
    permit 10.0.3.0 0.0.0.255
    permit 172.30.200.0 0.0.0.255
    access-list 99 permit 10.0.3.0
    control-plane
    banner motd  xxxxx
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    access-class MGMT_ACL in
    privilege level 15
    transport input telnet ssh
    ntp update-calendar
    ntp server 0.pool.ntp.org prefer
    ntp server 1.pool.ntp.org
    end

  • DMVPN split tunnling issue, not able to by pass http traffic at spoke end.

    Dear all,
    I would appreciate please help me out to resolve following issue.
    I have been using DMVPN setup (Routing protocol EIGRP) for 20 site no issue at all and everything is perfectly working.
    Now I received one request that I would need to split corporate legitimate traffic and internet traffic at spoke end, so all internet traffic has to forward via local ADSL connection , but I tried to resolve it but  spoke router is  continuously forwarding all traffic to tunnel.
    Moreover I found on internet that DMVPN has limitation that split tunneling is not possible.
    Please can you suggest me how can I forward internet traffic (HTTP) via local ADSL connection
    thanks and regards,

    I agree with Marcin.
    At the spoke you would need to add a static default route for the internet traffic.  You are also, most likely, injecting a default route into the EIGRP process at the hub, but the static route at the spokes will override this as it has a lower metric.  Depending on your setup, if the ADSL line is on a different interface than that of the DMVPN you could leave the EIGRP default route and use it as a backup incase the ADSL goes down.  But if they are both located off the same interface then there is no point in keeping the injected default route.
    Please remember to rate and select a correct answer

  • Internet access via hairpinning for Spoke to Hub IPSec VPN

    I have a hub and spoke configuration with a number of site-to-site IPsec VPNs from 857's terminating on an 1811 at the hub. Also in the mix is a client-to-site (EZVPN) which also terminates at the hub.
    I need to ensure all traffic destined for the internet goes out through the hub 1811. I've looked at trying to use a form of hairpinning so that "interesting traffic" from remote sites gets NATted at the hub router to the internet.
    I have seen a number of configurations (in these forums) where internet-directed traffic from EZVPN clients is forced via a hairpin out via the hub router. I am trying to emulate that feature with the site-to-site IPSec VPNs - where internet directed traffic from spokes must go through the hub router, and not be permitted to go directly to the internet from the spoke routers.
    Attached are configs for the hub router and one of the spoke routers, and a pdf diagram.
    I can get traffic to the internet (in my test lab) from the lookback connector (1.1.1.1) by extended command pings, I have connectivity from the spoke1 lan to the hub lan (pings again); but not from the spoke1 lan to the internet via the hub router.
    Thanks in advance for any help
    Phil

    Thanks, guys. Yes, those two access lists did need some attention.
    I've changed the access list on the spoke router from
    access-list 120 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
    to
    access-list 120 permit ip 192.168.8.0 0.0.0.255 any
    which allows traffic from the spoke lan out to the internet via the hub router. I've also taken NAT off the spoke router.
    But I also need to change the matching access list on the hub router. I changed the old access list from
    access-list 121 permit ip 192.168.0.0 0.0.255.255 192.168.8.0 0.0.0.255
    to
    access-list 121 permit ip any 192.168.8.0 0.0.0.255
    but I couldn't pass any traffic over the VPN. If I remove access-list 121 completely, then traffic does pass, but the crypto map on the hub router becomes "incomplete".
    When the tunnel is up, and passing traffic, I can ping an internet address (in my lab), but not all traffic is getting through. Every second ping times out, often there are 3 or 4 pings that time out.
    Any suggestions as to what to do with the access list (121) on the hub router, and what can I do to get more reliable results (i.e. get every ping to work)?
    TIA
    Phil

  • DMVPN Hub and Spoke behind NAT device

    Hi All,
    I have seen many documents stating about DMVPN Hub behind NAT or DMVPN Spoke behind NAT.
    But My case i involve in both situation.
    1) HUB have a Load Balancer (2 WAN Link) ISP A & B
    2) Spoke have Load Balancer (2 WAN Link) ISP A & B
    Now the requirement is Spoke ISP A Tunnel to HUB ISP A.  Spoke ISP B tunnel to HUB ISP B
    So total of two DMVPN tunnel from spoke to hub, and i will use EIGRP and PBR to select path.
    As I know at HUB site, LB must do Static NAT for HUB router IP, so spoke will point to it as tunnel destination address. At spoke LB, i will do policy route to reach HUB ISP A IP via Spoke ISP A link, HUB ISP B IP via Spoke ISP B link.
    HUB and Spoke have to create 2 tunnel with two different network ID but using same source interface.
    The Tunnel destination IP at spoke router is not directly belongs to HUB router. Its hold by HUB LB , and forwarded to HUB router by Static NAT.
    Any problem will face with this setup? Any guide?
    Sample config at HUB.
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.1 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 600
    delay 1000
    tunnel source FastEthernet0/0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile cisco
    Spoke Config
    interface Tunnel0
    bandwidth 1000
    ip address 172.16.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.16.1.1 199.1.1.1
    ip nhrp network-id 1
    ip nhrp holdtime 300
    ip nhrp nhs 172.16.1.1
    delay 1000
    tunnel source FastEthernet0/0
    tunnel destination 199.1.1.1
    tunnel key 0
    tunnel protection ipsec profile cisco
    interface Tunnel1
    bandwidth 1000
    ip address 172.17.1.2 255.255.255.0
    ip mtu 1440
    ip nhrp authentication cisco123
    ip nhrp map 172.17.1.1 200.1.1.1
    ip nhrp network-id 2
    ip nhrp holdtime 300
    ip nhrp nhs 172.17.1.1
    delay 1500
    tunnel source FastEthernet0/0
    tunnel destination 200.1.1.1
    tunnel key 1
    tunnel protection ipsec profile cisco

    Hi Marcin,
    thanks for your reply. The NAT was set up in a way it was/is just to simulate the spoke to be behind NAT device.
    About AH and ESP, you are correct there... this was actually my issue. I should have used pure ESP. At the end, TAC actually assisted me with this. Before I called TAC, i did notice the following. ISAKMP traffic was NATed to 3.3.3.3, as expected. Anything after that, did not work and it has to with NAT and AH. Traffic was no longer NATed so the hub, saw the traffic come from 2.2.2.2 rather than 3.3.3.3, you can also see that in the error message you have pointed out. I also saw it in my packet captures. That caught my eye and i started troubleshooting it. I did not understand that AH can't be NATed, Below  is TAC's explanation. All is good now. Thanks
    .  Essentially, it comes down to the fact that AH will encapsulate the entire IP packet (hence why it is the outermost header) with the exception of a few mutable fields, including the DSCP/ToS, ECN, flags, fragment offset, TTL, and the header checksum.  Since the source/destination IP addresses & port numbers are actually protected by the AH integrity checking, this means that a device performing a NAT operation on the packet will alter these IP header fields and effectively cause the hub router to drop the packet due to AH failure.
    Conversely, ESP traffic is able to properly traverse NAT because it doesn't include the IP header addresses & ports in its integrity check.  In addition, ESP doesn't need to be the outermost header of the packet in order to work, which is why devices will attach an outer UDP/4500 header on the traffic going over NAT."

  • [rspan in 'hub+spoke' topology]

    Hi,
    I have the topology depicted in the attached drawing.
    What we want to achieve is to enable rspan to replicate monitored traffic from access switches (3550 spokes) to a core switch (6500 hub).
    The configuration in general is working and looks like this:
    HUB:
    monitor session 1 destination interface Gix/y
    monitor session 1 source remote vlan z
    SPOKES:
    monitor session 1 source interface Gix/y
    monitor session 1 destination remote vlan z
    As stated previosly the environment is working, but...we're having one problem. The uplinks from the spokes to the hub are almost full. After doing some troubleshooting, we found that span traffic is being replicated by the hub to the spokes. The reason I say this is that when i remove the rspan vlan (on the core switch) from the uplink to the hubs the output traffic from core to access (or input on the access switches) goes down in the same amount being received by the network analyzer. when i add the vlan on the uplink trunk again, the traffic going out of the core to the access switches goes up by the same amount being sent to the network analyzer.
    Like i said, the rspan part seems to be working fine, but the uplinks to the access switches are getting full because the hub switch is copying the span traffic to all uplinks which is not what we want.
    Two questions here:
    1.- Is this the way rspan is supposed to work in this environment?
    2.- if not, is there a way to turn off this behavior or does it sound like a bug to you?
    Thanks in advance!
    c.

    Hello,
    in Hub and Spoke - as in any other L3VPN - traffic will flow in the opposite direction of IP routing updates. In a Hub and Spoke setup the spoke sites should get routing updates from the hub site. Thus one faces a split horizon problem: updates learned at the hub CE from a neighbor (PE) will not be sent back over the same interface to that neighbor. Hence the simple solution is: one VRF and interface to announce spoke routes from the PE to the hub CE and another interface terminating in a second VRF to announce the routes from the hub CE back into the MPLS VPN environment.
    Just as a side note: this results in an unusual load pattern on the two hub CE interfaces. Both interfaces will have nearly only load in one direction.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • DMVPN Spoke with 2 internet link

    Hi All,
    I am stuck in a situation where we have 2 hubs one in HQ and one in DR site. Both hubs are configured to have different dmvpn cloud. We have some branches with two internet links one adsl and another 3G.
    I want to setup dmvpn in such a way so that if adsl goes down then dmvpn tuneel should come up via 3G.
    What I know is i would require different tunnels on spoke for achieving this. Currently on each spoke I have two tunnels one terminates on HQ and another terminates on DR and both are live. I am managing routes via eigrp.
    My question is that do I need to create another dmvpn cloud for this to work as I can not use same subnet IP on new tunnels which will be having 3G as source ? or shall I create new subnet for tunnels which will work over 3G ??
    if i create new tunnel for 3G network then what will be the configuration on HQ & DR as we have only on internet link on DR & HO.
    can anybody help me on this ?
    just need idea how to achive it. my full dmvpn is working over internet no private mpls....

    Hi Jain,
    You can let HQ and DR in same DMVPN Cloud. In HQ, do Static NHRP MAP to DR and vise versa.
    Spoke routers, create two static NHRP Map and NHS.
    Tunnel0
    description Spoke
    ip nhrp map multicast HQ-WAN-IP
    ip nhrp map HQ-Tunnel-IP HQ-WAN-IP
    ip nhrp map multicast DR-WAN-IP
    ip nhrp map DR-Tunnel-IP DR-WAN-IP
    ip nhrp network-id 123
    ip nhrp holdtime 60
    ip nhrp nhs HQ-Tunnel-IP
    ip nhrp nhs DR-Tunnel-IP
    This will allow you use one DMVPN cloud for two Hub.
    Secondly, for spoke failover to 3G, you would need to create another DMVPN Tunnel at HUB and SPOKE router
    At HUB, use different Tunnel IP, but tunnel source will be same. In order this to work, i will suggest you to use DMVPN over IPSec. Use Diffrent tunnel key and ip nhrp network-id for both tunnel interface. Use "shared" command when apply ipsec policy in Tunnel interface.
    Sample config at Hub( I only show the difference in Tunnel config)
    tunne0
    description ***Primary Tunnel***
    ip address x.x.x.x
    ip nhrp network-id 1
    tunnel key 1
    tunnel protection ipsec profile TN-DMVPN shared
    tunne1
    description ***Primary Tunnel***
    ip address y.y.y.y
    ip nhrp network-id 2
    tunnel key 2
    tunnel protection ipsec profile TN-DMVPN shared
    At Spoke, you configure same as primary tunnel, but make sure to change network-id and tunnel key. Here, you may no need to use "shared" command when apply ipsec policy
    Hope this helps.
    Regards,
    Nagis

  • DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

    Hi Guys,
    I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
    The Design :
    Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
    ||
    ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
    ||
    Switch
    ||
    LAN
    Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
    I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
    I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
    Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
    Thanks,
    Aj.

    Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
    All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
    1) what RProtocol r u using?
    a) It's OSPF
    2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
    a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
        (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
        (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
    3) are your tunnels config correctly? try show crypto ipsec sa
    a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
    4) on your hub'spoke do a debug ip icmp
    a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
    I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
    Additional to the info above, Please also note :
    I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
    So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
    From HUB router I'm able to ping clients behind Spokes.
    Does that give any Ideas ?
    Thanks in Advance.
    Aj.

  • Cannot console in or telnet to Router

    Router console connection will not open and connect. Cannot telnet to the Router as well. Any suggestions? This is on a frame relay hub and spoke router that is in production. Thanks!

    Speed in the terminal emulation software could be the issue and flow control should be set to none. Also, it could be caused be memory problems. If memory gets highly utilized or fragemented telnet and console sessions won't open and the only fix is a reboot.

  • DMVPN Hub router with static NAT

    Hi everyone,
    I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
    1) Can I stablish the DMVPN between the routers with that firewall in the middle?
    2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
    3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
    Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
    Gustavo

    !

  • Help! My 2691xm router is deaf to ISAKMP

    Hello.
    I am trying to set up a DMVPN.
    The setup is the following:
    1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin
    2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin
        As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.
        I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.
    I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.
    I also get nothing from "show crypto isakmp sa".
    I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.
    I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.
    router-1#show access-list INTERNET_IN
    Extended IP access list INTERNET_IN
        70 permit udp any any eq isakmp log (2576 matches)
        80 permit gre any any log
        90 permit esp any any log
    So I AM getting traffic through to the router, but my router isn't reacting to it?
    Below are snippets of relevant configs.
    HUB:
    Internet: int fa0/1 - T1 w/ static IP through ethernet
    LAN : int fa0/0 - lan 192.168.20.1
    ip multicast-routing
    crypto isakmp policy 100
    encr aes 256
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key ABCD address 0.0.0.0 no-xauth
    crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
    crypto ipsec profile PROFILE_1
    set security-association lifetime seconds 600
    set transform-set TRANSFORM_1
    set pfs group2
    interface Tunnel0
    ip pim sparse-mod
    bandwidth 1536
    ip address 10.0.20.20 255.255.255.0
    ip mtu 1400
    ip tcp adjust-mss 1360
    tunnel source fa0/1
    tunnel mode gre multipoint
    tunnel protection ipsec profile PROFILE_1
    ip nhrp map multicast dynamic
    ip nhrp network-id 20
    ip nhrp holdtime 600
    ip nhrp authentication ABCD ip hold-time eigrp 1 35
    no ip next-hop-self eigrp 1
    no ip split-horizon eigrp 1
    router eigrp 1
    network 10.0.20.0 0.0.0.255
    network 192.168.20.0 0.0.0.255
    no auto-summary
    ip access-list extended NAT_TRAFFIC
    deny  ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
    permit ip 192.168.20.0 0.0.0.255 any
    route-map NONAT permit 10
    match ip address NAT_TRAFFIC
    ip nat inside source route-map NONAT interface fa0/1 overload
    SPOKE:
    Internet: int dialer0 - DSL, PPPoE, DHCP
    LAN : int vlan0 - 192.168.22.1
    ip multicast-routing
    crypto isakmp policy 100
    encr aes 256
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key ABCD address 0.0.0.0 no-xauth
    crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
    crypto ipsec profile PROFILE_1
    set security-association lifetime seconds 600
    set transform-set TRANSFORM_1
    set pfs group2
    interface Tunnel0
    ip pim sparse-mod
    bandwidth 1536
    ip address 10.0.20.22 255.255.255.0
    ip mtu 1400
    ip tcp adjust-mss 1360
    tunnel source d0
    tunnel mode gre multipoint
    tunnel protection ipsec profile PROFILE_1
    ip nhrp map 10.0.20.20 2691_WAN_IP
    ip nhrp map multicast 2691_WAN_IP
    ip nhrp network-id 20
    ip nhrp holdtime 600
    ip nhrp nhs 10.0.20.20
    ip nhrp authentication ABCD ip hold-time eigrp 1 35
    no ip next-hop-self eigrp 1
    no ip split-horizon eigrp 1
    router eigrp 1
    network 10.0.20.0 0.0.0.255
    network 192.168.22.0 0.0.0.255
    no auto-summary
    eigrp stub connected
    ip access-list extended NAT_TRAFFIC
    deny  ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
    permit ip 192.168.22.0 0.0.0.255 any
    route-map NONAT permit 10
    match ip address NAT_TRAFFIC
    ip nat inside source route-map NONAT interface Dialer0 overload
    As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.
    Here is some output from 1751-v (spoke router).
    ISAKMP: set new node 0 to QM_IDLE
    ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)
    ISAKMP: Error while processing SA request: Failed to initialize SA
    ISAKMP: Error while processing KMI message 0, error 2.
    ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
    ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
    router-1#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst            src            state          conn-id slot status
    2691_WAN_IP    1751_WAN_IP MM_NO_STATE          0    0 ACTIVE
    2691_WAN_IP    1751_WAN_IP MM_NO_STATE          0    0 ACTIVE (deleted)
    The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.
    Please help as this is driving me CRAZY!!!!
    I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!
    -Vittorio

    Here is the requested information:
    interface Tunnel0
    bandwidth 1536
    ip address 10.0.20.20 255.255.255.0
    no ip redirects
    ip mtu 1400
    ip hold-time eigrp 1 35
    no ip next-hop-self eigrp 1
    ip pim sparse-mode
    ip nhrp authentication ABADCADS
    ip nhrp map multicast dynamic
    ip nhrp network-id 20
    ip nhrp holdtime 600
    ip tcp adjust-mss 1360
    no ip split-horizon eigrp 1
    tunnel source FastEthernet0/1
    tunnel mode gre multipoint
    tunnel protection ipsec profile PROFILE_1
    interface FastEthernet0/0
    ip address 192.168.20.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    interface FastEthernet0/1
    ip address INTERNET_ADDRESS 255.255.255.248
    ip access-group INTERNET_IN in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    router eigrp 1
    network 10.0.20.0 0.0.0.255
    network 192.168.20.0
    no auto-summary
    ip access-list extended INTERNET_IN
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit tcp any any established
    permit udp any eq domain any
    permit udp any any eq ntp
    permit udp any any eq isakmp log
    permit gre any any log
    permit esp any any log
    permit udp any eq ntp any
    permit tcp any any eq 22
    deny   ip any any log-input
    ip access-list extended NAT_TRAFFIC
    deny   ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
    deny   ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
    permit ip 192.168.20.0 0.0.0.255 any
    ip nat inside source route-map NONAT interface FastEthernet0/1 overload
    Thank you, please tell me if you need anything else
    -Vittorio

Maybe you are looking for

  • How to know Sales Organization and distribution channel for a material

    How to know Sales Organization and distribution channel for a created material

  • How to test SQL query performance - realiably?

    I have certain queries and I want to test which one is faster, and how big is the difference. How can I do this reliably? The problem is, when I execute the queries, Oracle does it's caching and execution planning and whatnot, and results of the quer

  • A form calls another form

    In VB 2 call a form (say it's Form2), we just type Form2.show How can I do the similiar thing in Java? I wish 2 make a splash screen n display 4 about 3 seconds n later it unload itself n calls another form.

  • Won't Let Me Export

    Okay so I have been working on this project for a few months now, it's about 5-10 minutes long. It consists of some Photo-Jpeg quicktime files, a photo and some wave/mp3 files. I finally finished editing the other day, but it never lets me export. It

  • NAC web server

    Hi All, I am trying to get public cert from godaddy for NAC, there are two options for web server: Apache-ModSSL, and Apache-SSL in order to submit CSR. can you please let me know which web server I should choose? thanks Alex