05-31-2024 01:21 PM
I have a GRE/IPsec tunnel going from 1 router to a Cisco. I'm able to ping across the tunnel, so I know that communication is working. If I ping 8.8.8.8, it fails. If I traceroute it, the traffic is stopping at the far side of the tunnel at the GRE IP there.
Do I need NAT on the tunnel if I want to get to the outside world and back?? And if so, I have an existing ACL set up for NAT from another router. It has the same IP range in the ACL, the 10.137.50.x/28 show below:
ip access-list standard TO_TTC
permit 10.100.100.0 0.0.0.255
permit 200.0.0.0 0.0.0.3
permit 10.137.50.224 0.0.0.15
The WAN on that Cisco already has the IP NAT OUTSIDE attached to it. Do I just need to add the the inside piece to the tunnel?
I've attached a ugly picture for reference:
05-31-2024 11:30 PM
On your Cisco device you able to reach back 10.137.50.227 IP ?
From Cisco are you able to reach Internet ?
Also if possible can you post removing confidential information of Cisco Side configuration to look.
You added only NAT outside, did the tunnel interface belong to NAT Inside ?
06-03-2024 09:27 AM
I did have to add a route: ip route 10.137.50.227 255.255.255.255 10.22.40.23 (which is the other side of GRE tunnel)
Once I did that, yes I can ping the 10.137.50.227
I can ping 8.8.8.8 from the Cisco, yes
I have the nat outside on the Cisco WAN interface, and yes, nat inside is added to the tunnel.
I'll look into adding the config (with important info missing)
06-04-2024 11:27 PM
Glad you able to progress further, let us know the outcome or any further assistance required here.
06-06-2024 05:47 PM
Devices on R1 can communicate with resources on the Cisco using the tunnel and no NAT is needed. If devices on R1 want to access the Internet using the tunnel to the Cisco then yes NAT on the Cisco for the subnet of R1 is needed.
06-01-2024 03:13 AM
Normally the NAT is not effect any GRE/IPsec
the traffic is Point to GRE tunnel and then encapsulate
the only thing make NAT effect GRE/IPsec is use NAT under tunnel itself not under the tunnel source interface
MHM
08-02-2024 01:29 PM
I know its been a while, but I haven't had a chance to work on this in a bit
So, my issue is that I can see via a tcpdump that traffic is going out over the gre-dmvpn tunnel from R1 to the Cisco. When I check the IP NAT translations, there are none, and I'm not able to reach outside the Cisco to the destination of 8.8.8.8.
I have the following tcpdump info:
13:01:47.082985 eth0.5 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64
13:01:47.082985 management1 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64
13:01:47.082985 vrrp.10.1 In IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64
13:01:47.083097 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64
13:01:48.106984 eth0 P IP13 (invalid)
13:01:48.106984 eth0.5 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64
13:01:48.106984 management1 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64
13:01:48.106984 vrrp.10.1 In IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64
13:01:48.107105 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64
13:01:49.130991 eth0 P IP13 (invalid)
13:01:49.130991 eth0.5 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64
13:01:49.130991 management1 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64
13:01:49.130991 vrrp.10.1 In IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64
13:01:49.131080 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64
13:01:50.155165 eth0 P IP13 (invalid)
13:01:50.155165 eth0.5 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64
13:01:50.155165 management1 P IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64
13:01:50.155165 vrrp.10.1 In IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64
13:01:50.155286 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64
And the ACL for the NAT translation:
ip access-list standard TO_TTC
permit 10.100.100.0 0.0.0.255
permit 200.0.0.0 0.0.0.3
permit 10.22.32.0 0.0.15.255
permit 10.137.50.224 0.0.0.15
As well as the Cisco tunnel interface:
interface Tunnel100
description INTERNAL - DMVPN Inside Interface
ip address 10.22.32.1 255.255.240.0
no ip redirects
ip nat inside
ip nhrp network-id 1
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key *****
tunnel protection ipsec profile IPSEC_PROFILE
06-01-2024 12:26 PM - edited 06-02-2024 02:50 AM
Hello
@SteveG18 wrote:
Do I just need to add the the inside piece to the tunnel?
Yes,
Edited- - apologies for the short answer but i was on my phone, ,
So the answer to you OP was Yes, you can append the tunnel interface to a inside nat domain, as this will be the source of the traffic that will pass through your rtrs WAN interface and that already performing NAT
You need to tweak any existing NAT ACL to accommodate the tunnel traffic so it can also be "hidden" from the internet and allowed access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide