Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10871
Views
0
Helpful
4
Replies

GRE Tunnel through firewall performing PAT

Go to solution
yeacuzyeacuz
Level 1
Level 1

‎01-08-2011 01:37 PM - edited ‎03-04-2019 11:00 AM

Hey all,

I have the following topology:

| Router A |------------{ Internet }----------< Firewall performing PAT >----| Router B |

Router A has a public IP address facing the internet.  Router B has private IP addressing and is being PATed behind a firewall to reach the internet.

I am trying to set up a simple tunnel between router A and router B and have attempted both a combination of point-to-point and multipoint configurations without any success.

Here is the relevant configuration so far ...

Router A:

interface Loopback1
ip address x.x.x.195 255.255.255.255 (public IP address)
!
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
tunnel source Loopback1

tunnel destination *see notes below*


Router B:

interface FastEthernet1
ip address 192.168.100.10 255.255.255.0 (private IP address)

!
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
tunnel source FastEthernet1

tunnel destination x.x.x.195

* The issue is that I'm not sure what to set the tunnel destination for on Router A to get it to work.  I've set up various incarnations of point-to-point and multipoint with no success.  I am able to ping Loopback 1 on Router A from Router B.  While I do not have control over the firewall, it is set to allow all tunneling and IPSec protocols.

Any assistance with getting this configuration to work would be greatly appreciated!

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to yeacuzyeacuz

‎01-09-2011 10:39 PM

Hello Yea,

Using the multipoint GRE with NHRP would most probably not solve this issue because of two primary reasons:

  • The Router B would try to register its private IP address via NHRP on the Router A because that is its true IP address. Using HSRP would therefore not help to discover the public IP address of the Router B.
  • Even if there was a mechanism to dynamically discover the currently dynamic IP address of the Router B, it would not solve the original problem - that there is a technical issue with passing GRE datagrams through a PAT box. Even with multipoint GRE interfaces, the individual GRE messages are absolutely identical to those used in point-to-point configurations.

Best regards,

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎01-08-2011 01:57 PM

Hello Yea,

I doubt that the GRE tunnel through a PAT box will work. The problem is that the PAT rewrites both IP addresses and TCP/UDP port numbers to perform N:1 IP:IP translation. GRE datagrams do not have ports and they are inserted directly into IP packets. PAT is usually unable to cope with this situation. That was the reason why the PPTP tunnels, quite popular for Windows VPN networking, also did not work from behind a PAT device because the PPTP also uses GRE (in a slightly modified way as far as I know).

On the other hand, if a static NAT with 1:1 translation could be configured particularly for your GRE endpoint, the GRE tunnel could work.

I am sorry to say that but unless you are able to reserve a single IP address for static NAT purposes, establishing the GRE tunnel in your current network with PAT is most probably not possible.

Best regards,

Peter

0 Helpful

Go to solution
yeacuzyeacuz
Level 1
Level 1
In response to Peter Paluch

‎01-09-2011 07:13 PM

Hi Peter,

Thanks for your response.  I'm inclined to agree with you, but I'm just checking all the options I guess.

Do you suppose that it would work for a multipoint interface on Router A in any way?  (I tried this but did not get it to work.  I admit, though - it is not the first time I tried something and could not get it to work!)

Cheers!

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to yeacuzyeacuz

‎01-09-2011 10:39 PM

Hello Yea,

Using the multipoint GRE with NHRP would most probably not solve this issue because of two primary reasons:

  • The Router B would try to register its private IP address via NHRP on the Router A because that is its true IP address. Using HSRP would therefore not help to discover the public IP address of the Router B.
  • Even if there was a mechanism to dynamically discover the currently dynamic IP address of the Router B, it would not solve the original problem - that there is a technical issue with passing GRE datagrams through a PAT box. Even with multipoint GRE interfaces, the individual GRE messages are absolutely identical to those used in point-to-point configurations.

Best regards,

Peter

0 Helpful

Go to solution
yeacuzyeacuz
Level 1
Level 1
In response to Peter Paluch

‎01-10-2011 08:32 AM

Thanks, Peter.

Your posts were extremely helpful.

Cheers!

** Message was edited by: Yea Cuz  **

Eventually got this to work.  Trick was to configure Router A as a DMVPN hub and Router B as a DMVPN spoke, ensuring to use Router B's private IP in the crypto profile configure on Router A:

crypto isakmp profile ISAKMP

keyring KEYRING

match identity address 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card