GRE Tunnel problem with one endpoint in NAT

Hello I have this situation:

Branch office:

C2611 router - atm0/0.1 public wan eth0/0 lan

HQ:

C2650 - edge router - has on it a /29 IP Range atm0/0.1 wan fast0/0 dmz net 172.16.0.* loopback0 /29 range of IP

one of the /29 range is statically natted (nat 1-1) on 172.16.0.10 (Cisco

3620)

I am not able to put the gre tunnel up. I am sure that the problem is in the HQ because the 3620 is natted.

There are not ACL or firewalls that blocks the communications. Other services on the 172.16.0.10 works fine from the internet side (everyone need to connect to the /29 address of the range natted to it)

What can I check?

Reply to
Elia Spadoni
Loading thread data ...

There is no mention of tunnel endpoints or dynamic routing protocols.

Perhaps your issue is "recursive routing".

The routers know of the tunnel endpoints, but see the path to the far-side tunnel endpoint as being via the tunnel itself (recursive routing).

You would want a static route on each side telling the routers to reach the far-side tunnel endpoints by way of a "physical interface".

e.g.: reach the far-side tunnel endpoint (often the external far side interface) by way of your router's default gateway (next hop, Internet side).

ip route 255.255.255.255

Reply to
News Reader

Reply to
Elia Spadoni

Reply to
News Reader

Reply to
News Reader

beneficial.

Best Regards, News Reader

Reply to
News Reader

Hello

here are more data.

C2611 router - atm0/0.1 public wan ex 77.xx.xx.26 eth0/0 lan 192.168.2.254

interface Tunnel1 ip address 10.0.0.2 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 10 3 tunnel source ATM0/0.1 tunnel destination 77.xx.xx.238 tunnel checksum tunnel path-mtu-discovery

HQ:

C2650 - edge router - has on it a /29 IP Range atm0/0.1 wan 77.xx.xx.162 fast0/0 dmz net 172.16.0.11 loopback0 /29 range of IP 77.xx.xx.233/29 There is a static nat to 77..xx.xx.238 -> 172.16.0.10

C3620

eth1/0 172.16.0.10 (default route 172.16.0.11) eth1/1 192.168.1.254

Here are the confs:

interface Tunnel1 ip address 10.0.0.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 keepalive 10 3 tunnel source Ethernet1/0 tunnel destination 77.xx.xx.26 tunnel checksum tunnel path-mtu-discovery

Reply to
Elia Spadoni

The additional info was helpful, however you didn't clarify which interfaces on the 2650 are being used for NAT. Presumably, atm0/0.1 is your outside NAT interface. Are both F0/0 and Loopback0 NAT inside interfaces? If F0/0 is not a NAT inside interface, I'll have to assume you are taking necessary steps to policy route the GRE tunnel through a NAT inside interface (Loopback0 ?). Presumably, crypto maps are applied on the atm0/0.1 interfaces of the 2650 and 2611.

The following list is as much for my benefit, as yours. It might help identify any misconceptions, or configuration deficiencies.

Advertising routes on the 3620 Tunnel 0 interface.

Advertisements are sent via the tunnel source interface (3620 e1/0,

172.16.0.10), encapsulated in GRE.

A static route to the tunnel destination (2611 atm0/0.1, 77.xx.xx.26) is desirable on the 3620 to address recursive routing issues.

ip route 77.xx.xx.26 255.255.255.255 172.16.0.11 2

Note: I have never NAT'd a GRE tunnel. I assume it can be done, but have never proven it.

If f0/0 on the 2650 is a NAT inside interface, the source IP (172.16.0.10) in the GRE header is NAT'd (to 77.xx.xx.238) before crypto is applied on atm0/0.1 of the 2650.

If f0/0 on the 2650 is NOT a NAT inside interface, I assume Loopback0 is, and that you have taken steps to policy route the GRE tunnel through Loopback0 to receive NAT treatment on the GRE header.

The GRE tunnel is further encapsulated due to the crypto map (permit gre host 77.xx.xx.238 host 77.xx.xx.26) assumed to exist on atm0/0.1 of the

2650.

The 2611 receives the packet(s) on atm0/0.1, de-encapsulates IPSec, de-encapsulates GRE, and processes the original packet(s).

Now for the other side:

Advertising routes on the 2611 Tunnel 0 interface.

Advertisements are sent via the tunnel source interface (2611 atm0/0.1,

77.xx.xx.26), encapsulated in GRE.

Due to NAT at the other side, the 2611 would be configured with the

3620's e1/0 NAT'd, globally routeable IP as the tunnel destination.

A static route to the tunnel destination (3620 e1/0, 77.xx.xx.238) is desirable on the 2611 to address recursive routing issues.

ip route 77.xx.xx.238 255.255.255.255

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.