Solved: GRE Tunnel problem

johnny_5 · ‎10-11-2013

Hi there, We have configured a GRE tunnel between two branches/companies through a 1921. I can ping the router and various hosts on the other network 10.x5.xxx.xx from my pc, they too can ping any host on my side 10.x7.xxx.xx. We are trying to access resources on the 10.x4.xxx.xx side which is at a COLO location from the 10.x5 side - this is the problem. I dont know if the packets are getting dropping at our gateway router or is the ASA at the COLO blocking. Do I need an access list set on the Router as well? This is a little bit more advanced to what I'm used to so any help would be appreciated!

Thank you in advance...

EDITED Version...

ip dhcp excluded-address 10.x5.xxx.1

ip dhcp excluded-address 10.x5.xxx.xx

ip dhcp excluded-address 10.x5.xxx.1 10.x5.xxx.50

!

ip dhcp pool Chub

import all

network 10.x5.xxx.xx 255.255.255.0

default-router 10.x5.x.1

dns-server 208.67.222.222

lease 7

!

no ipv6 cef

multilink bundle-name authenticated

!

license udi pid CISCO1921/K9 sn FTX17318328

!

username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

interface Tunnel69

ip address 192.168.xx.20 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 18.xx.xxx.19

tunnel destination 18.xx.xxx.18

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Chub LAN

ip address 10.x5.xxx.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN side of Router

ip address 18.xx.xxx.19 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

router rip

network 10.0.0.0

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 18.xx.xxx.17

ip route 10.x4.x.0 255.255.255.0 192.168.xx.10

ip route 10.x7.xxx.0 255.255.255.0 192.168.xx.10

!

access-list 100 permit ip 10.x5.xxx.0 0.0.0.255 any

Richard Burts · ‎10-11-2013

Without knowing more about the network it is difficult to say where the problm is. You have mentioned an ASA and that it has been set up to accept traffic from your 10.27 network. So the first place that I would suggest that you look would be the ASA on the assumption that if it had to be set up to receive 10.27 that it may very well also need to be set up for 10.25. In addition to finding whether the ASA will accept traffic from 10.25 it will also be necessary to verify that the ASA has a route to 10.25 so that it can do correct forwarding of response traffic.

You also mention a gateway router. We do not know whether the gateway router is configured with access lists to filter traffic. If the gateway does do traffic filtering then it is certainly possible that changes need to be made in the access lists to permit this new traffic.

HTH

Rick

HTH

Rick

View solution in original post

rfalconer.sffcu · ‎10-11-2013

Couple of things to check.

What is the IP space of the colo? Does the .7 office have a route to this address range?

Does the ASA have a route back to the .7 office?

Do the ACLs on the ASA not permit traffic from the .7 office?

johnny_5 · ‎10-11-2013

Thank you Robert for the quick reply...

I can access servers in the COLO (10.14.xxx.xx) from our network 10.x7. The last admin had this set up. The ASA is set up to accept traffic from our current network 10.x7 and always has been - our Call manager and dev boxes reside here.

With the tunnel in place between my network 10.x7 and the other branch 10.x5 do I still need to add ACLs on the ASA to accept traffic from 10.x5...I thought the tunnel would take care of this?

Any help is appreciated.

Richard Burts · ‎10-11-2013

While I certainly understand wanting to protect public addresses and masking parts of them with x I am quite puzzled why you are masking with x in network 10 private addresses. What real benefit do you get while it makes it more difficult for us to understand what is going on in this situation.

I am puzzled at your description of the issue. You talk about the other network 10.x5.xxx.xx and yet that is the address on the Gig0/0 interface in the config that you post. All this indirection makes it difficult for me to understand what is really working and what is not. So am I correct in understanding that 10.x5 can successfully communicate with 10.x7 but not with 10.x4? Since both 10.x4 and 10.x7 have the same treatment in the config that you posted I do not believe that it is anything in this router that is causing the problem.

Having written that I just read your description again and see that you describe 10.x4 as being colo with 10.x5. But the configuration that you posted shows that 10.x4 seems to be through the same tunnel as 10.x7 which suggests that the colo is not where you tell us that it is. So please give us a clear understanding of the topology and of what if working and what is not working.

HTH

Rick

HTH

Rick

johnny_5 · ‎10-11-2013

Sorry for the confusion Richard.

My network 10.27 can fully communicate with the network set up in the COLO 10.14. I recently set up a router with the range 10.25 for the other branch. For development purposes this branch needs to access the COLO network which is why I set up the tunnel between our network and theirs. As I mentioned before I can successfully ping any host in the 10.25 range and vice versa from within my network.

Do I need to add ACLS on my gateway router or is it a ASA issue accepting traffic from the 10.25 network.

Thank you for your assistance.

rfalconer.sffcu · ‎10-11-2013

Certainly sounds like an ASA issue, either ACL or routing. The tunnel doesn't NAT anything so the ASA will need to know what to do with 10.25 traffic.

johnny_5 · ‎10-11-2013

I can traceroute the traffic to my gateway router and then it stops. Do i need to apply an access list permit for all traffic from the 10.25 network to reach the 10.14 network?

Thanks

paul driver · ‎10-11-2013

Hello

Does the 10.4.x.x have a route back to 10..5.x.x

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

johnny_5 · ‎10-11-2013

I have included part of the config on my gateway router with what I have configured so far, hopefully this helps...

This is what I have added so far. Do I need to add more ACLs for connectivity between my 10.25 network and the 10.14 network?

Thanks in advance...

!

interface Tunnel55

ip address 192.168.66.10 255.255.255.0

ip accounting output-packets

ip accounting access-violations

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source 12.xx.xxx.18

tunnel destination 12.xx.xxx.19

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

ip address 12.xx.xxx.18 255.255.255.248

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 12.xx.xxx.17

ip route 10.25.131.0 255.255.255.0 192.168.66.20

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 2 interface FastEthernet4 overload

!

access-list 2 permit 10.27.131.0 0.0.0.255

access-list 2 permit 10.25.131.0 0.0.0.255

access-list 2 permit 192.168.66.0 0.0.0.255

access-list 2 permit 10.14.0.0 0.0.0.255

access-list 102 permit icmp 10.25.131.0 0.0.0.255 any

Richard Burts · ‎10-12-2013

Thank you for posting the partial configuration of the gateway router. It does clarify some things about the relationship of the 10.25.131 network. (can I safely assume that the 10.25.131/24 in this config is the 10.25 network that we have been talking about?) This shows that 10.25.131 is accessed through the tunnel and the partial config in your original post shows the router at the other end of the tunnel. The original post shows that 10.25.131 would reach both 10.14 and 10.27 through the tunnel.

So from what we have seen so far there is no issue about IP connectivity through the routers. I do not see any access lists doing packet filtering, though there is access list 102 in this config and we do not know what it is used for. And this config does not show us what it is doing with either 10.14 or 10.27.

So based on what we have seen so far I do not see any need for additional access lists. And I believe that it is likely that the issue is on the ASA and not on the router.

HTH

Rick

HTH

Rick

Richard Burts · ‎10-11-2013

Without knowing more about the network it is difficult to say where the problm is. You have mentioned an ASA and that it has been set up to accept traffic from your 10.27 network. So the first place that I would suggest that you look would be the ASA on the assumption that if it had to be set up to receive 10.27 that it may very well also need to be set up for 10.25. In addition to finding whether the ASA will accept traffic from 10.25 it will also be necessary to verify that the ASA has a route to 10.25 so that it can do correct forwarding of response traffic.

You also mention a gateway router. We do not know whether the gateway router is configured with access lists to filter traffic. If the gateway does do traffic filtering then it is certainly possible that changes need to be made in the access lists to permit this new traffic.

HTH

Rick

HTH

Rick