Showing results for 
Search instead for 
Did you mean: 

Cisco 2811 Routing between two Eth if. using GRE Tunnel

Hello Forum,

I have established a VPN IPSec GRE tunnel to my counterparty. It's up and stable. Logged into the cisco router, I can make a telnet to a

server on Cpty-Side with

cisco2811# telnet 10170 /source-interface FastEthernet0/1

Trying, 10170 … Open

But I need the connection on another computer in my private Network ( There is a Java Software that needs to connect to a server

within the network of the counterparty. Telnet from to above address returns with time-out error.


I've got the following information from Cpty:

|> Any connections attempts to FIX services should be sourced from the network.

Additionally, my techn. Acct.Mgr. @Cpty says: If we get a request, we check if its came from (my Fa0/1 address), otherwise it will

be rejected.

In fact the ip network is not my network, it is an external company (BskyB) owned network. So I would assume I cannot change my

internal network address schema to their network schema.

Here my actual and funtionally config

interface Tunnel0

description To Cpty

ip address

tunnel source

tunnel destination


interface FastEthernet0/0

description Facing LAN

ip address secondary

ip address

crypto map dbs


interface FastEthernet0/1

description MIC Member Lan

ip address

With this config the initial connection is up and running

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0     YES manual up                    up     

FastEthernet0/1        YES NVRAM  up                    up     

Tunnel0                  YES NVRAM  up                    up     

Tunnel1                YES unset  up                    up     

Tunnel2                YES unset  up                    up    

cisco2811#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: port 500

  IKE SA: local remote Active

  IPSEC FLOW: permit 47 host host

        Active SAs: 2, origin: crypto map

The ip route command shows many routes

    cisco2811#show ip route


    Gateway of last resort is to network

    S* [1/0] via is variably subnetted, 2 subnets, 2 masks


    D [90/26881024] via, 00:21:35, Tunnel0

     D [90/26881024] via, 00:21:35, Tunnel0

     C is directly connected, FastEthernet0/1

    L is directly connected, FastEthernet0/1

 is variably subnetted, 2 subnets, 2 masks

    C is directly connected, FastEthernet0/0

    L is directly connected, FastEthernet0/0


And I want to reach on port 10170. On my, I set as the default gateway but that was not enough.

Thus, I need IMHO something like: ip route all incoming traffic from FastEthernet0/0 with request to 90.* / 193.* --forward-to--> FastEthernet0/1

(like in the example 

cisco2811#telnet 10170 /source-interface FastEthernet0/1

Trying, 10170 … Open


As I tried with: ip route FastEthernet0/1

I lost even my telnet connection on board of the cisco. After deleting, I was again capable telnet from the cisco2811 console.

Or need I some kind of NATting with Fa0/0 and Fa0/1??

Please, take into account that my ADSL Router already performs NAT for my network. And the cisco is in the DMZ.

Thanks in advance.



PS: For more in depth information about my network infrastructure or previous problem, please read

There, I described earlier my problem with the establishing the tunnel (which is solved).

paolo bevilacqua
Hall of Fame Master

If they check source address, you would need NAT.

And that will make everything more complicated.

I recommend that you talk to the ownerof the company (the one that pays) so that he commands the other people to relax checks, re-organizer network, and make things works easy and smoothj without tricks.