GRE Tunnel. Cannot get to other Network

pmarchant1 · ‎06-08-2018

Hi all. i have successful configured my GRE tunnel and can ping the opposite ends of the tunnel from each side and even the router interface itself on the other lan.

My-Side

internal 192.168.0.0/24

Cisco Router 192.168.0.166 (F/E 0/0)

Tunnel 0 172.16.0.2

Main Network Router 192.168.0.0 > Necessary Ports forwarded and opened.

Their-Side

internal 192.16.1.0/24

Cisco Router 192.168.1.22 (F/E 0/1)

Tunnel 0 172.16.0.1

Main Network Router 192.168.0.1 > Necessary Ports Forwarded and opened.

From My-Side i can 172.16.0.1/2 AND 192.168.1.22 but nothing else on that LAN

From Their-Side i can ping 172.16.0.1/2 AND 192.168.0.166 but nothing else

<<<<<<<<<<Config from My-Side>>>>>>>>>>>>>

My-Side#sh running-config
Building configuration...

Current configuration : 1266 bytes
!
! Last configuration change at 09:15:44 UTC Fri Jun 8 2018
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname My-Side
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2801 sn FCZ124712CT
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 4 5
tunnel source FastEthernet0/0
tunnel destination <<THEIR-SIDE-IP>>
tunnel path-mtu-discovery
!
interface FastEthernet0/0
ip address 192.168.0.166 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
logging esm config
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
speed 115200
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

<<<<<<<<<<<<<<<Their-Side>>>>>>>>>>>>>>>>>>>

Their-Side#sh running-config
Building configuration...

Current configuration : 1208 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Their-Side
!
boot-start-marker
boot-end-marker
!
no logging console
enable password secret

!

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no crypto isakmp ccm
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 5 4
tunnel source FastEthernet0/1
tunnel destination <<MY-SIDE-IP>>
!
interface FastEthernet0/0
ip address dhcp
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.22 255.255.255.0
duplex auto
speed auto
!
router eigrp 1
no auto-summary
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
password security
login
line aux 0
password security
login
line vty 0 4
password security
login
line vty 5 807
password security
login
!
end

I have played as much as i can now and feel i am now just entering command to "just see if it works" and am out of ideas, Any and all suggestions/advice appreciated.

Georg Pauwen · ‎06-08-2018

Hello,

are these the full running configurations ? On your My-side router, you have only one local active interface, which is the tunnel source. Where is the local LAN configured ? On the other side, there is one interface that is getting its IP address through DHCP, I assume that is the LAN ?

Also:

internal 192.168.0.0/24

Cisco Router 192.168.0.166 (F/E 0/0)

are overlapping, you cannot use 192.168.0.0/24 on two different interfaces...

paul driver · ‎06-08-2018

Hello

Your tunnel Scr/Dest addressing is you lan addressing which you using as the physical path for the tunnel creation.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pmarchant1 · ‎06-08-2018

hi both, yes i am using the one interface on each router. i was shown this was many moons ago and is something we use here at my work.

Sorry not overlapping, my typo ! Sorry.....

paul driver · ‎06-08-2018

Hello

That would be correct , you will need that one interface to create the physical path and logical tunnel, but then you will also require to have at least 1 additional interface (different subnet) on each router assigned to an internal network so it can be accessed via the tunnel.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

pmarchant1 · ‎06-08-2018

Ok. So I do need two physical connections even if they are in to the same switch.

My cisco router is not inline with the lan and the main outgoing router. It is plugged in with one cable in to the switch. I am sure I achieved all this before with one FE/ interface.

I assume then they have gotten away with by using vlans ? As you can gather I am still getting my head round this a bit at a time.

Georg Pauwen · ‎06-08-2018

Hello,

the tunnel sources (192.168.1.22 and 192.168.0.166) need to have IP connectivity at the very least, which they don't. What are you trying to accomplish with the tunnel ?

pmarchant1 · ‎06-08-2018

Yes they have internet connectivity and can ping 8.8.8.8 the remote site router and remote site tunnel end fine traffic just doesn't seem to get past the router at each end.

IE.

Myside can ping the 172.16.0.1 and 172.16.0.2 and 192.168.1.22 but then nothing else on that lan

their side can ping 172.16.0.1 and 172.16.0.2 and 192.16.0.166 but then nothing else on that lan.

Both routers can see internet and can ping 1.1.1.1 and 8.8.8.8 fine

pmarchant1 · ‎06-08-2018

Not sure if this helps or not ?

paul driver · ‎06-08-2018

Hello

Looks like your Cisco router is a natted client to the isp rtr and you have created a gre tunnel originating from the internal Cisco router.

i am assuming you don’t have access to this isp rtr?

Even though your internal clients are all on a the same switch they still won’t be able to each the other side of the tunnel due to what I have previously mentioned -

However with a little bit of tweaking if you were to attach the switch to a spare interface on the the rtr in another subnet then you should be able to apply your own nat for internet access on this new private subnet and also policy route over the tunnel for your site to site access.

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎06-08-2018

Hello,

it is unclear what your network looks like. Can you post a schematic drawing including all devices, how they are connected, and what IP addresses they are using ?