Reverse-Tunnel Forwarding

Problem

You want to force all packets to use the tunnel to avoid anti-spoofing ACLs in the network.

Solution

You configure Reverse-Tunnel Forwarding on the Mobile Node so that it requests this feature when it registers with the Foreign Node:

RouterMobile#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
RouterMobile(config)#ip mobile router
RouterMobile(mobile-router)#reverse-tunnel
RouterMobile(mobile-router)#exit
RouterMobile(config)#end
RouterMobile#

Discussion

When a Mobile Node communicates with another device elsewhere on the network (called the Correspondent Node), the inbound traffic follows a path from the Correspondent Node to the Home Agent, through the tunnel to the Foreign Agent, and from there to the Mobile Node. On the way back from the Mobile Node to the Correspondent Node, the packet goes first to the Foreign Agent, which looks at the destination address, and forwards this packet according to its routing table by using the most direct path.

The trouble is that the source IP address in the packet from the Mobile Node to the Correspondent Node doesn’t belong to the Foreign Agent router. It is effectively a spoofed source address. Many networks use ACLs to look at the source addresses of packets and make sure that they are received on an interface that leads back to the source network. This is a good security practice because it helps prevent hackers from deliberately spoofing addresses in packets when launching attacks. ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.