Scribd Logo
Upload

Welcome to Scribd!

  • Ticket 9 - DMVPN

    Uploaded by

    Peter Hix
    92 views9 pages
    Ticket 9 - Dmvpn

    Original Title

    Ticket 9 - Dmvpn

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Ticket 9 - Dmvpn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    92 views9 pages

    Ticket 9 - DMVPN

    Uploaded by

    Peter Hix
    Ticket 9 - Dmvpn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Ticket 9 DMVPN

    There is DMVPN configured between R7 - R24 via Nat Network (R23).


    R7 is configured as HUB and R24 as Spoke.
    User (PC109) attached to R24 has lost the access to Headquaters.
    It must be able to reach Server in Bancobank Headquaters in BGP AS 65100.
    Fix the issue so that the user can reach to the Server through DMVPN.

    PC109#ping Server1.bancobank.org
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.200.200, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/11 ms
    PC109#trace Server1.bancobank.org
    Type escape sequence to abort.
    Tracing the route to Server1.bancobank.org (172.16.200.200)
    VRF info: (vrf in name/id, vrf out name/id)
    1 10.23.45.1 2 msec 0 msec 0 msec
    2 172.247.247.1 10 msec 7 msec 10 msec
    3 172.16.0.2 11 msec 11 msec 10 msec
    4 Server1.bancobank.org (172.16.200.200) 10 msec * 11 msec
    While you are resolving these faults, your are not allowed to modify acl.

    1. Fix DHCP Problem on R24


    Analyze
    TS_PC109#sh ip int br | i 0/0
    Ethernet0/0
    10.23.45.2

    YES DHCP up

    up

    TS_PC109#sh int e0/0 | i bia


    Hardware is AmdP2, address is aabb.cc00.6d00 (bia aabb.cc00.6d00)
    TS_R24#sh run | s dhcp
    ip dhcp excluded-address 10.23.45.1
    ip dhcp pool BancoBank_HomeOffice
    network 10.23.45.0 255.255.255.0
    default-router 10.23.45.1
    domain-name bancobank.org
    dns-server 10.23.45.1
    ip dhcp pool BancoBank_Vlan200_User
    host 10.23.45.100 255.255.255.0
    client-identifier 01cc.bbaa.0010.01
    default-router 10.23.45.1
    domain-name bancobank.org
    dns-server 10.23.45.1
    TS_R7#sh run | i host
    ip host SeRvEr1.bancobank.org 172.16.200.200
    TS_R24#sh run | i host
    <no host Server1.bancobank.org>
    Fix
    TS_R24# clear ip dhcp binding *
    TS_R24(config)#ip dhcp pool BancoBank_Vlan200_User
    TS_R24(dhcp-config)#no client-identifier 01cc.bbaa.0010.01
    TS_R24(dhcp-config)#client-identifier 01aa.bbcc.006d.00
    TS_PC109(config)#int e0/0
    TS_PC109(config-if)#shut
    TS_PC109(config-if)#no shut
    Verification
    TS_PC109#
    *Jul 13 07:13:08.115: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address
    10.23.45.100, mask 255.255.255.0, hostname User

    2. Fix NAT Config on R23


    Analyze
    TS_PC109#trace 172.7.7.7
    Type escape sequence to abort.
    Tracing the route to 172.7.7.7
    VRF info: (vrf in name/id, vrf out name/id)
    1 10.23.45.1 0 msec 0 msec 0 msec
    2 * * *
    TS_R24#sh ip route
    S* 0.0.0.0/0 [1/0] via 192.168.1.1
    TS_R23#sh run int e0/0 | b face
    interface Ethernet0/0
    ip address 192.168.1.1 255.255.255.0
    ip nat outside
    TS_R23#sh run int s4/0 | b face
    interface Serial4/0
    ip address negotiated
    ip nat inside
    encapsulation ppp
    TS_R23#sh ip int br | i 4/0
    Serial4/0
    134.56.78.10 YES IPCP up

    up

    TS_R23#sh run | s nat


    ip nat inside source static udp 134.56.78.9 500 interface Serial4/0 500
    ip nat inside source static udp 134.56.78.9 4500 interface Serial4/0 4500
    ip nat inside source static tcp 192.168.1.200 80 interface Serial4/0 8080
    ip nat outside source list 192 interface Serial4/0
    TS_R23#sh ip nat trans
    Pro Inside global Inside local
    Outside local
    udp 134.56.78.10:500 134.56.78.9:500 --udp 134.56.78.10:4500 134.56.78.9:4500 --tcp 134.56.78.10:8080 192.168.1.200:80 ---

    Outside global
    -------

    Fix
    TS_R23(config)#int e0/0
    TS_R23(config-if)#no ip nat outside
    TS_R23(config-if)#ip nat inside
    TS_R23(config-if)#exi
    TS_R23(config)#int s4/0
    TS_R23(config-if)#no ip nat inside
    TS_R23(config-if)#ip nat outside
    TS_R23(config-if)#
    TS_R23(config)#no ip nat outside source list 192 interface Serial4/0
    TS_R23(config)#ip nat inside source list 192 interface Serial4/0
    Verification
    TS_R23#sh ip nat trans
    Pro Inside global Inside local
    Outside local Outside global
    udp 134.56.78.10:59132 10.23.45.100:59132 172.7.7.7:53
    172.7.7.7:53
    udp 134.56.78.10:500 134.56.78.9:500 ----udp 134.56.78.10:4500 134.56.78.9:4500 ----tcp 134.56.78.10:8080 192.168.1.200:80 -----

    3. Fix DMVPN Tunnel Config on R24 and Fix ACL on


    R21
    Analyze
    TS_R24#sh run int tu10 | b face
    interface Tunnel10
    ip address 172.247.247.2 255.255.255.252
    ip nhrp map 172.247.247.1 125.45.67.22
    ip nhrp map multicast 172.247.247.1
    ip nhrp nhs 125.45.67.22
    tunnel source Ethernet1/0
    TS_R24#trace 125.45.67.22
    Type escape sequence to abort.
    Tracing the route to 125.45.67.22
    VRF info: (vrf in name/id, vrf out name/id)
    1 192.168.1.1 1 msec 0 msec 1 msec
    2 134.56.78.9 !A * !A
    TS_R21#sh run int s4/0 | b face
    interface Serial4/0
    ip access-group 123 in
    TS_R21#sh ip access
    Extended IP access list 123
    10 permit esp host 134.56.78.10 any
    20 permit udp host 134.56.78.10 any eq isakmp
    <implicit deny>
    Fix
    TS_R24(config-if)#int tu10
    TS_R24(config-if)#no ip nhrp map multicast 172.247.247.1
    TS_R24(config-if)#ip nhrp map multicast 125.45.67.22
    TS_R24(config-if)#no ip nhrp nhs 125.45.67.22
    TS_R24(config-if)#ip nhrp nhs 172.247.247.1
    TS_R24(config-if)#tunnel mode gre multipoint
    TS_R21(config)#ip access-list extended 123
    TS_R21(config-ext-nacl)#1 permit ip any any

    Verification
    TS_R24#trace 125.45.67.22
    Type escape sequence to abort.
    Tracing the route to 125.45.67.22
    VRF info: (vrf in name/id, vrf out name/id)
    1 192.168.1.1 0 msec 1 msec 0 msec
    2 134.56.78.9 13 msec 6 msec 9 msec
    3 134.56.78.37 10 msec 9 msec 9 msec
    4 125.45.67.22 10 msec * 9 msec

    4. Fix Reachability Tunnel Underlay Address


    Between R24 and R7
    Analyze
    TS_R24#ping 125.45.67.22 so 10.23.45.1
    .....
    Success rate is 0 percent (0/5)
    TS_R24#ping 125.45.67.22
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms
    TS_R24#sh ip cef 125.45.67.22
    0.0.0.0/0
    nexthop 192.168.1.1 Ethernet0/0
    Fix
    TS_R24(config)#int tu10
    TS_R24(config-if)#tunnel source e0/0
    Verification
    TS_R24#
    *Jul 13 08:16:12.069: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
    *Jul 13 08:16:12.069: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

    5. Fix IPsec Phase 1 and Phase 2 Problem on R24


    and R7
    Analyze
    TS_R24#sh crypto isak sa
    <none>
    TS_R24#sh run | s crypto
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key bancobank address 125.45.67.22
    crypto ipsec transform-set bancobank_TS esp-aes esp-sha-hmac
    mode transport
    no crypto ipsec nat-transparency udp-encapsulation
    crypto ipsec profile bancobank_prof
    set transform-set bancobank_TS
    TS_R7#sh run | s crypto
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    crypto isakmp key BancoBank address 192.168.1.2
    crypto ipsec transform-set bancobank_TS esp-aes esp-sha-hmac
    crypto ipsec profile bancobank_prof
    set transform-set bancobank_TS
    Fix
    TS_R24(config)#crypto ipsec nat-transparency udp-encapsulation
    TS_R7(config)#crypto isakmp policy 1
    TS_R7(config-isakmp)#group 2
    TS_R7(config)#crypto isakmp key bancobank address 134.56.78.10
    TS_R7(config)#crypto ipsec transform-set bancobank_TS esp-aes esp-sha-hmac
    TS_R7(cfg-crypto-trans)#mode transport

    Verification
    TS_R24#sh cryp isa sa
    IPv4 Crypto ISAKMP SA
    dst
    src
    state
    125.45.67.22 192.168.1.2

    conn-id status
    QM_IDLE
    1001 ACTIVE

    TS_R24#ping 172.247.247.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.247.247.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 13/14/15 ms
    TS_R24#
    *Jul 13 08:35:26.166: %OSPF-5-ADJCHG: Process 1, Nbr 172.7.7.7 on Tunnel10 from LOADING to FULL,
    Loading Done
    TS_PC109#ping 172.7.7.7
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.7.7.7, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/10 ms
    TS_PC109#ping Server1.bancobank.org
    Translating "Server1.bancobank.org"...domain server (172.7.7.7) [OK]
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.200.200, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms
    TS_PC109#trace Server1.bancobank.org
    Type escape sequence to abort.
    Tracing the route to Server1.bancobank.org (172.16.200.200)
    VRF info: (vrf in name/id, vrf out name/id)
    1 10.23.45.1 0 msec 0 msec 0 msec
    2 172.247.247.1 10 msec 10 msec 10 msec
    3 172.16.0.2 11 msec 10 msec 10 msec
    4 SeRvEr1.bancobank.org (172.16.200.200) 10 msec * 10 msec

    You might also like