Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
3
Helpful
3
Replies

HSRP with GRE tunnels

tato386
Level 6
Level 6

‎04-26-2004 01:33 PM - edited ‎03-09-2019 07:11 AM

From an earlier post I found out that I have a problem setting up HSRP with routers that terminate GRE tunnels. The problem stems from the fact that the HSRP protocol uses a virtual IP that each of the members of an HSRP group use. I have an idea that I would like to get comments on.

In my case both routers will be behind a firewall and will be using private IP addresses. For arguments sake their "real" addresses would be 1.1.1.2 and 1.1.1.3. The HSRP virtual address will be 1.1.1.1. The virtual address will be NATed to a public IP.

In my scenario each router will use its "real" address as the tunnel source. The remote routers on the other end of the tunnel will use the public NAT of the virual IP for their tunnel destination.

Will this work? If not what else can I do? Does the GRE protocol have some type of secondary or backup tunnel endpoints that I can configure?

Thanks,

Diego

Labels:
0 Helpful
3 Replies 3

aacole
Level 5
Level 5

‎04-29-2004 05:18 AM

Hi Diego, yes this will work.

When the GRE packet hits the firewall it will have its source IP address changed from 1.1.1.x to the outside address you have specified in the static mapping on the PIX. GRE Replies will be to the outside address, the destination address gets translated back to 1.1.1.x.

You will need to allow the IP addresses and the GRE protocol (IP 47) through the firewall.Ages ago I used this to get EIGRP to work through a firewall, I based it on a document I found on cisco.com, if you need it I'll look up the URL.

Richard Burts
Hall of Fame
Hall of Fame
In response to aacole

‎04-30-2004 07:54 AM

As I read the original question he said that the router would configure tunnel source as its real IP (1.1.1.2) and the remote would configure its tunnel destination as the natted value of the virtual IP (1.1.1.1). In my experience if the local source and remote destination do not have exactly the same IP, the tunnel does not work.

Rick

HTH

Rick
0 Helpful

aacole
Level 5
Level 5
In response to Richard Burts

‎04-30-2004 08:16 AM

Rick,

I mis-read the original question, in this case the tunnel wont come up, as the reply packets will come back to 1.1.1.1.

I think 2 tunnels would be the answer here.

0 Helpful
Customers Also Viewed These Support Documents