01-08-2011 01:37 PM - edited 03-04-2019 11:00 AM
Hey all,
I have the following topology:
| Router A |------------{ Internet }----------< Firewall performing PAT >----| Router B |
Router A has a public IP address facing the internet. Router B has private IP addressing and is being PATed behind a firewall to reach the internet.
I am trying to set up a simple tunnel between router A and router B and have attempted both a combination of point-to-point and multipoint configurations without any success.
Here is the relevant configuration so far ...
Router A:
interface Loopback1
ip address x.x.x.195 255.255.255.255 (public IP address)
!
interface Tunnel1
ip address 1.1.1.1 255.255.255.0
tunnel source Loopback1
tunnel destination *see notes below*
Router B:
interface FastEthernet1
ip address 192.168.100.10 255.255.255.0 (private IP address)
!
interface Tunnel1
ip address 1.1.1.2 255.255.255.0
tunnel source FastEthernet1
tunnel destination x.x.x.195
* The issue is that I'm not sure what to set the tunnel destination for on Router A to get it to work. I've set up various incarnations of point-to-point and multipoint with no success. I am able to ping Loopback 1 on Router A from Router B. While I do not have control over the firewall, it is set to allow all tunneling and IPSec protocols.
Any assistance with getting this configuration to work would be greatly appreciated!
Solved! Go to Solution.
01-09-2011 10:39 PM
Hello Yea,
Using the multipoint GRE with NHRP would most probably not solve this issue because of two primary reasons:
Best regards,
Peter
01-08-2011 01:57 PM
Hello Yea,
I doubt that the GRE tunnel through a PAT box will work. The problem is that the PAT rewrites both IP addresses and TCP/UDP port numbers to perform N:1 IP:IP translation. GRE datagrams do not have ports and they are inserted directly into IP packets. PAT is usually unable to cope with this situation. That was the reason why the PPTP tunnels, quite popular for Windows VPN networking, also did not work from behind a PAT device because the PPTP also uses GRE (in a slightly modified way as far as I know).
On the other hand, if a static NAT with 1:1 translation could be configured particularly for your GRE endpoint, the GRE tunnel could work.
I am sorry to say that but unless you are able to reserve a single IP address for static NAT purposes, establishing the GRE tunnel in your current network with PAT is most probably not possible.
Best regards,
Peter
01-09-2011 07:13 PM
Hi Peter,
Thanks for your response. I'm inclined to agree with you, but I'm just checking all the options I guess.
Do you suppose that it would work for a multipoint interface on Router A in any way? (I tried this but did not get it to work. I admit, though - it is not the first time I tried something and could not get it to work!)
Cheers!
01-09-2011 10:39 PM
Hello Yea,
Using the multipoint GRE with NHRP would most probably not solve this issue because of two primary reasons:
Best regards,
Peter
01-10-2011 08:32 AM
Thanks, Peter.
Your posts were extremely helpful.
Cheers!
** Message was edited by: Yea Cuz **
Eventually got this to work. Trick was to configure Router A as a DMVPN hub and Router B as a DMVPN spoke, ensuring to use Router B's private IP in the crypto profile configure on Router A:
crypto isakmp profile ISAKMP
keyring KEYRING
match identity address
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide