Q9 – DMVPN NAT (2 Points)

There is DMVPN configured between R7 (HUB) and R24 (SPOKE) via NAT Network (R23)
Ensure that PC 110 can access Server 1 as shown
PC110# traceroute 172.16.200.200
Type escape sequence to abort.
Tracing the route to 172.16.200.200
VRF info: (vrf in name/id, vrf out name/id)
 1 10.23.45.1 0 msec 0 msec 1 msec
 2 172.247.247.1 9 msec 9 msec 10 msec
 3 172.16.1.2 10 msec 10 msec 8 msec
 4 172.16.200.200 10 msec *  10 msec

PC110# traceroute SERVER1

1. Tunnel Source
R24 to ping R7’s 125 network segment
1. NAT on R23
 Does the ACL match ACL
  If the NAT command correct ?
2. PPP Certification on R23, R32
 Does PPP certification up ?
 Is the IP addresses delivered correctly ?
 Guarantee direct connection to communicate.
3. ACL
 After the previous problem is checked, check whether there are ACLs blocking
data on the interface

2. Tunnel Configuration
1. DMVPN Stage
 Check configurations between R24 and R7
 R24 need config: crypto ipsec nat-transparency udp-encapsulation (R23 no
need). This is because traffic needs the encapsulation only at the end-point.
 Need config NAT (mapping UDP port) on R23
2. IPSec Stage
 If the IPSec stage is IKE, 99% IPSec strategies error
 Compare IPSec configurations on R7 and R24
 If the strategy has been invoked, you can shutdown the tunnel port first and then
modify

3. OSPF
1. Network Tunnel0 on OSPF (It could be Tunnel10)
2. If no OSPF neighbor, troubleshot for OSPF

4. Domain Lookup
1. Check the domain lookup on R7
2. PC110 enable ip domain lookup
ANS Q9 – DMVPN NAT
# Device Commands Validations
1 Ping from R24 to R7 outside Interface
R24 ping 125.45.67.22 Ping outside interface of R7. Unsuccessful
R23 ping 125.45.67.22 Ping outside interface of R7. Unsuccessful
R23 ping 134.56.78.9 Unsuccessful. Direct connect to R21 is not
working.
R21 sh ip int brief Fault 1: Found IP address 134.56.78.90
instead of134.56.78.9
Fix R21
int S4/0
no ip address 134.56.78.90 255.255.255.252
ip address 134.56.78.9 255.255.255.252
2 Check IPSEC VPN Configuration
R7 sh dmvpn Check whether DMVPN neighbor R24
found.
R24 sh dmvpn Found peer R7 (125.45.67.22), but on IKE
State. If you see IKE, it is IPSEC issue
R24 sh run | s cry Compare the configs
R7 Fault 2: Wrong isakmp key on R24
Fault 3: Wrong group # on R7
Fault 4: R24 -found the following
command:
no crypto ipsec nat-transparency
udp-encapsulation
Fix R24
no crypto isakmp key CC1E address 0.0.0.0
crypto isakmp key CCIE address 0.0.0.0
crypto ipsec nat-transparency udp-encapsulation
/--when you run this command, the command with no goes away, but, this
command doesn’t show up on the run config, which is normal--/
 Fix R7
crypto isakmp policy 10
group 14
R24 sh ip int brief Identify the tunnel interface. It is Tun10
R7 R7
int tun10
shut
no shut
R24 sh dmvpn Found peer R7 (125.45.67.22)
3 Check NAT and ACL on R23 and R24
R23 sh nat translations Check whether you see entries. Also, check
whether you see icmp and esp traffic
sh nat statistics
R23 sh run | s nat The following command on R23 is not an
issue. But is an issue in R24
R24
no crypto ipsec nat-transparency
udp-encapsulation
Find access-list from #ip nat inside
source statement
R23 sh run | s list Found the following. No problems.
access-list 194 permit ip
192.168.1.0 0.0.0.255 any
4 Check OSPF Neighbor
R24 sh ip ospf nei Check whether R7 shows up as neighbor.
No neighbor found
R24 sh ip ospf int brief Check whether Tunnel10 is OSPF interface
R7 sh run | s r o Fault 5: R24 - passive-interface Tunnel10
R24 Fault 6: R7 - #network command missing
for tunnel interface
Fix R24
router ospf 65100
no passive-interface Tunnel10
sh ip ospf neighbor /--check neighbor with R7
sh ip route
 Fix R7
router ospf 65100
network 172.247.247.1 0.0.0.0 area 3
sh ip ospf neighbor /--check neighbor with R7
5 Check IP HOST Config on R24
PC110 traceroute SERVER1 % Unrecognized host or address
Domain Server is R24 (10.23.45.1)
R24 sh run | s ip host Found nothing.
R24 sh ip dns view Check Domain lookup. Check where the
name server points to 192.168.1.1, which is
R23
R23 sh ip dns view Domain lookup is enabled, but does not
point to any name server
R7 sh run | s ip host Found entry for IP host as follows
#ip host HOST01 172.16.100.200
Fault 7: No IP HOST entry for SERVER1
Fix R24
ip host SERVER1 172.16.200.200
T Test
PC110 ping 172.16.200.200 Successful
PC110 tr 172.16.200.200 Successful
PC110 traceroute SERVER1 Successful

TS1 Q9 – DMVPN NAT Fault Summary and Remediation

# Device Fault Remediation

1 R21 Wrong IP Address on Change IP from 134.56.78.90 to 134.56.78.9
S4/0 interface
2 R24 Wrong ISAKMP Key crypto isakmp key CCIE address 0.0.0.0
3 R7 Wong Group # on crypto isakmp policy 10
Crypto group 14
4 R24 No IPSec NAT crypto ipsec nat-transparency udp-
transparency config encapsulation
5 R24 OSPF Passive-Interface router ospf 65100
for Tun10 Interface no passive-interface Tunnel0
6 R7 Missing #network router ospf 65100
statement on OSPF network 172.247.247.1 0.0.0.0 area 3
7 R24 No host entry for ip host SERVER1 172.16.200.200
SERVER1

Concepts
1. DMVPN tunnel is formed between outside interface of R7 (125.45.67.22) and R24
E0/0.

2. R24 must have the following config as R23 is performing NAT

#crypto ipsec nat-transparency udp-encapsulation

3. OSPF neighbor is formed between R24 and R7

4. The following commands are helpful for dns configuration

#ip domain lookup /--Enables the device (PC 110) to perform domain lookups

#ip dns server

High Level Steps

 Step 1 - R24 can ping the segment 125.45.67.22
 Step 2- Check IPSEC VPN
 Step 3 – Check ospf nei

Detailed Steps
 From R24, ping 125.45.67.22. If ping is not successful, open R23. From R23, ping
125.45.67.22. If you can’t ping, most likely the IP address of R21 S4/0 is wrong. You
want to take care of this IP address issue first before troubleshooting anything else.