Solved: Re: How to connect 3 ASR-1001-X routers through tunnels.

TristanGude · ‎01-25-2023

I have 3 ASR-1001-X routers. One router has two tunnels to each one of the other 2 routers. The other 2 routers only have one tunnel to the central router. Central router is on network 172.16, the other two routers are on networks 172.17, and 172.19. I can ping 172.19, and 17 from 16, I can ping 172.16 from 19 and 17, but I cannot ping 17 from 19 and vice versa. How can I tell router on network 172.16 that when 172.19 send a package to 172.17 to route it through the tunnel to 17, and back? Hope I am making sense.

MHM Cisco World · ‎01-25-2023

are you config static route or run any routing protocol ?

View solution in original post

Joseph W. Doherty · ‎01-26-2023

As @Richard Burts notes, insufficient information to offer really good (specific) advice, but in general.

First, often tunnels need to be configured how to route to the other end of their tunnel(s) (remote) end point. Most often this is done via a static route.

Second, anytime you need to get to a destination network, not directly connected to your router, you also need to configure how to route to such "remote" destinations.

From what you describe, I suspect your 17 network doesn't know how to route to 19 and ditto for the reverse. As you have two way pings between 16 and 17 or 19, 16 might be okay.

Again, there are several ways to provide the 17 and 19 routers the route information needed, which, again in your case, might be as simple as providing each (17 and 19) a default static route going to 16.

View solution in original post

MHM Cisco World · ‎01-26-2023

tunnel is UP
if you face issue with IPsec then I think you need keyword "shared" with tunnel protection

central have LAN-C
BrnachA have LAN-A
BrnachB have LAN-B

to make BranchA LAN connec to BrnachB LAN then we need static route of both LAN toward Central tunnel.

View solution in original post

MHM Cisco World · ‎01-26-2023

in Router on 172.19
you have default route
in Router on 172.17
can you add default route ??

View solution in original post

MHM Cisco World · ‎01-25-2023

are you config static route or run any routing protocol ?

Richard Burts · ‎01-26-2023

We do not have enough information to be able to give good advice. The original post mentions tunnels. It is not clear whether these are ipsec tunnels or some other type of tunnel (GRE etc). And if it is ipsec are they traditional ipsec with crypto map or VTI?

Some details from the configs would be helpful.

HTH

Rick

khorram1998 · ‎01-26-2023

Hi @TristanGude

To route traffic between the networks 172.17 and 172.19 through the central router on network 172.16, you will need to configure static routes on the two routers on networks 172.17 and 172.19.

On the router on network 172.17, you will need to configure a static route for network 172.19 with the next hop being the IP address of the tunnel interface on the central router.

On the router on network 172.19, you will need to configure a static route for network 172.17 with the next hop being the IP address of the tunnel interface on the central router.

You can configure the static routes using the command "ip route [destination network] [mask] [next hop IP]".

Additionally, you will need to enable routing protocols like OSPF or EIGRP on all three routers and configure them properly in order for the routers to learn about the routes.

It is also recommended to check the configurations of all the tunnels, access-lists, firewalls and any other security features that might be blocking the communication between the networks.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK

Joseph W. Doherty · ‎01-26-2023

As @Richard Burts notes, insufficient information to offer really good (specific) advice, but in general.

First, often tunnels need to be configured how to route to the other end of their tunnel(s) (remote) end point. Most often this is done via a static route.

Second, anytime you need to get to a destination network, not directly connected to your router, you also need to configure how to route to such "remote" destinations.

From what you describe, I suspect your 17 network doesn't know how to route to 19 and ditto for the reverse. As you have two way pings between 16 and 17 or 19, 16 might be okay.

Again, there are several ways to provide the 17 and 19 routers the route information needed, which, again in your case, might be as simple as providing each (17 and 19) a default static route going to 16.

TristanGude · ‎01-26-2023

Thanks everyone.

Central Router

interface Tunnel4
description Point-to-Point
ip address 172.18.21.2 255.255.255.0
zone-member security Inside
tunnel source 172.18.11.1
tunnel destination 172.18.10.1
tunnel protection ipsec profile protect-gre
!
interface Tunnel6
description Point-to-Point-to-Glow-House
ip address 172.21.21.2 255.255.255.0
zone-member security Inside
tunnel source 172.21.11.1
tunnel destination 172.21.10.1
tunnel protection ipsec profile protect-gre
!

interface GigabitEthernet0/0/2
description Point-to-Point
ip address 172.18.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mfib forwarding input
no ip mfib cef input
no ip mfib cef output
zone-member security Tunnel-Outside
load-interval 30
negotiation auto
!
interface GigabitEthernet0/0/3
description Point-to-Point-Glow-House
ip address 172.21.11.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mfib forwarding input
no ip mfib cef input
no ip mfib cef output
zone-member security Tunnel-Outside
load-interval 30
negotiation auto

p route 172.17.0.0 255.255.0.0 172.18.10.1
ip route 172.18.0.0 255.255.0.0 GigabitEthernet0/0/2
ip route 172.19.0.0 255.255.0.0 172.21.10.1
ip route 172.21.0.0 255.255.0.0 GigabitEthernet0/0/3

Router on 172.17

interface Tunnel4
ip address 172.18.21.1 255.255.255.0
zone-member security Tunnel-Outside
tunnel source 172.18.10.1
tunnel destination 172.18.11.1
tunnel protection ipsec profile protect-gre
!

interface GigabitEthernet0/0/2
description Point-to-Point
ip address 172.18.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mfib forwarding input
no ip mfib cef input
no ip mfib cef output
ip access-group Block-Guest in
ip access-group Block-Guest out
zone-member security Tunnel-Outside
load-interval 30
negotiation auto
!

ip route 172.16.0.0 255.255.0.0 172.18.11.1
ip route 172.18.0.0 255.255.0.0 GigabitEthernet0/0/2

Router on 172.19

interface Tunnel6
description Point-to-Point
ip address 172.21.21.1 255.255.255.0
zone-member security Inside
tunnel source 172.21.10.1
tunnel destination 172.21.11.1
tunnel protection ipsec profile protect-gre

interface GigabitEthernet0/0/0
description Point-to-Point-Halesworth
ip address 172.21.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mfib forwarding input
no ip mfib cef input
no ip mfib cef output
zone-member security Tunnels-Outside
load-interval 30
negotiation auto

ip default-network 172.21.11.1
ip route 0.0.0.0 0.0.0.0 172.21.11.1
ip route 172.21.0.0 255.255.0.0 GigabitEthernet0/0/0
!

MHM Cisco World · ‎01-26-2023

same tunnel source using by multi Tunnel. Hmm
that must check for each platform and for each IOS this behave is different.
after apply this config are all tunnel UP ?

can you run any routing protocol this make one Spoke know about other Spoke LAN subnet

TristanGude · ‎01-26-2023

Router - Central - 172.16 - Tunnel 4 to Router 172.17 - Tunnel 4

Router - Central - 172.16 - Tunnel 6 to Router 172.19 - Tunnel 6

Not sure what you meant by "can you run any routing protocol this make one Spoke know about other Spoke LAN subnet " Sorry.

Yes, all tunnels are up.

MHM Cisco World · ‎01-26-2023

tunnel is UP
if you face issue with IPsec then I think you need keyword "shared" with tunnel protection

central have LAN-C
BrnachA have LAN-A
BrnachB have LAN-B

to make BranchA LAN connec to BrnachB LAN then we need static route of both LAN toward Central tunnel.

TristanGude · ‎01-26-2023

Thanks. And how do I create the static route of both LAN toward Central tunnel. Thank you one more time

MHM Cisco World · ‎01-26-2023

in Router on 172.19
you have default route
in Router on 172.17
can you add default route ??

TristanGude · ‎01-27-2023

Hi,

First of all, thank you very much for the support. I was able to pin all the routers, but now I cannot route the internet traffic of router 172.19 through router 172.16. Router 172.16 has a connection to the internet, router 172.19 does not. 172.16 is connected to router 172.19 through a point-to-point, tunnel.

Joseph W. Doherty · ‎01-27-2023

.16 likely needs to know what other networks are "behind" .19. This can be accomplished using static routes, on .16, or might be done via .16 and .19 sharing networks via a dynamic routing protocol.

TristanGude · ‎01-27-2023

Thank you, could you please let me know how that static route will look like. Tunnel between 16 and 19 has: Interface on router 172.16 has Ip 172.21.11.1, interface on router 172.19 has ip 172.21.10.1. Network behind 172.19 is 172.19.0.0 255.255.0.0, Network behind 17.16 is 172.16.0.0 255.255.0.0