Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
1
Helpful
7
Replies

Is NAT needed for traffic over GRE/IPsec tunnel?

SteveG18
Level 1
Level 1

‎05-31-2024 01:21 PM

I have a GRE/IPsec tunnel going from 1 router to a Cisco.  I'm able to ping across the tunnel, so I know that communication is working.  If I ping 8.8.8.8, it fails.  If I traceroute it, the traffic is stopping at the far side of the tunnel at the GRE IP there.

Do I need NAT on the tunnel if I want to get to the outside world and back??  And if so, I have an existing ACL set up for NAT from another router.  It has the same IP range in the ACL, the 10.137.50.x/28 show below:

ip access-list standard TO_TTC
 permit 10.100.100.0 0.0.0.255
 permit 200.0.0.0 0.0.0.3
 permit 10.137.50.224 0.0.0.15

The WAN on that Cisco already has the IP NAT OUTSIDE attached to it.  Do I just need to add the the inside piece to the tunnel?

I've attached a ugly picture for reference:

Blank diagram(1).jpeg

Labels:
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎05-31-2024 11:30 PM

On your Cisco device you able to reach back 10.137.50.227 IP ?

From Cisco are you able to reach Internet ?

Also if possible can you post removing confidential information of Cisco Side configuration to look.

You added only NAT outside, did the tunnel interface belong to NAT Inside ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

SteveG18
Level 1
Level 1
In response to balaji.bandi

‎06-03-2024 09:27 AM

I did have to add a route:  ip route 10.137.50.227 255.255.255.255 10.22.40.23 (which is the other side of GRE tunnel)

Once I did that, yes I can ping the 10.137.50.227

I can ping 8.8.8.8 from the Cisco, yes
I have the nat outside on the Cisco WAN interface, and yes, nat inside is added to the tunnel. 

I'll look into adding the config (with important info missing)

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to SteveG18

‎06-04-2024 11:27 PM

Glad you able to progress further, let us know the outcome or any further assistance required here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎06-06-2024 05:47 PM

Devices on R1 can communicate with resources on the Cisco using the tunnel and no NAT is needed. If devices on R1 want to access the Internet using the tunnel to the Cisco then yes NAT on the Cisco for the subnet of R1 is needed.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎06-01-2024 03:13 AM

Normally the NAT is not effect any GRE/IPsec 
the traffic is Point to GRE tunnel and then encapsulate 
the only thing make NAT effect GRE/IPsec is use NAT under tunnel itself not under the tunnel source interface 

MHM

0 Helpful

SteveG18
Level 1
Level 1
In response to MHM Cisco World

‎08-02-2024 01:29 PM

I know its been a while, but I haven't had a chance to work on this in a bit

So, my issue is that I can see via a tcpdump that traffic is going out over the gre-dmvpn tunnel from R1 to the Cisco.  When I check the IP NAT translations, there are none, and I'm not able to reach outside the Cisco to the destination of 8.8.8.8.  

I have the following tcpdump info:

13:01:47.082985 eth0.5 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64                  
13:01:47.082985 management1 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64             
13:01:47.082985 vrrp.10.1 In  IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64               
13:01:47.083097 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1383, length 64               
13:01:48.106984 eth0  P   IP13 (invalid)                                                                                
13:01:48.106984 eth0.5 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64                  
13:01:48.106984 management1 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64             
13:01:48.106984 vrrp.10.1 In  IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64               
13:01:48.107105 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1384, length 64               
13:01:49.130991 eth0  P   IP13 (invalid)                                                                                
13:01:49.130991 eth0.5 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64                  
13:01:49.130991 management1 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64             
13:01:49.130991 vrrp.10.1 In  IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64               
13:01:49.131080 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1385, length 64               
13:01:50.155165 eth0  P   IP13 (invalid)                                                                                
13:01:50.155165 eth0.5 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64                  
13:01:50.155165 management1 P   IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64             
13:01:50.155165 vrrp.10.1 In  IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64               
13:01:50.155286 gre-DMVPN Out IP 10.137.50.235 > dns.google: ICMP echo request, id 9, seq 1386, length 64

And the ACL for the NAT translation:

ip access-list standard TO_TTC
 permit 10.100.100.0 0.0.0.255
 permit 200.0.0.0 0.0.0.3
 permit 10.22.32.0 0.0.15.255
 permit 10.137.50.224 0.0.0.15

As well as the Cisco tunnel interface:

interface Tunnel100
 description INTERNAL - DMVPN Inside Interface
 ip address 10.22.32.1 255.255.240.0
 no ip redirects
 ip nat inside
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key *****
 tunnel protection ipsec profile IPSEC_PROFILE

 

0 Helpful

paul driver
VIP
VIP

‎06-01-2024 12:26 PM - edited ‎06-02-2024 02:50 AM

Hello

@SteveG18 wrote:
 Do I just need to add the the inside piece to the tunnel?

Yes,

Edited- -  apologies for the short answer but i was on my phone, ,  
So the answer to you OP was Yes, you can append the tunnel interface to a inside nat domain, as this will be the source of the traffic that will pass through your rtrs WAN interface and that already performing NAT

You need to tweak any existing NAT ACL to accommodate the tunnel traffic so it can also be "hidden" from the internet and allowed access.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card