Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3315
Views
0
Helpful
1
Replies

Port-forwarding over GRE tunnel

Black_Rabbit
Level 1
Level 1

‎12-28-2013 03:57 AM - edited ‎03-04-2019 09:57 PM

Hello!

I have two branch routers. Between them GRE tunnel is configured.

Traffic successfully routed from one segment to another.

port_forwarding_over_gre.png

I need to set up port forwarding (static NAT) so that the packets to the external interface of the branch 1 router are forwarded to the branch 2 server through the tunnel.

Port forwarding on a branch 1 nodes running successfully, but on the branch nodes 2 - does not work. =(

My configuration:

####### Router 1 #######

interface Tunnel512001

ip address 172.20.100.2 255.255.255.252

ip hello-interval eigrp 20 20

ip hold-time eigrp 20 60

ip nat inside

ip virtual-reassembly

tunnel source 1.1.1.1

tunnel destination 2.2.2.2

interface FastEthernet0/0

ip address 10.51.231.130 255.255.255.128

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/1

description UPLINK

ip address 1.1.1.1 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

ip route 0.0.0.0 0.0.0.0 1.1.1.254

!

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.51.231.72 25 195.128.57.138 25 extendable

!

access-list 101 deny   ip 10.51.231.0 0.0.0.255 10.51.0.0 0.0.255.255

access-list 101 deny   ip 10.51.231.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 101 permit ip 10.51.231.0 0.0.0.255 any

####### Router 2 #######

interface Tunnel512001

ip address 172.20.100.1 255.255.255.252

ip hello-interval eigrp 20 20

ip hold-time eigrp 20 60

ip virtual-reassembly in

tunnel source 2.2.2.2

tunnel destination 1.1.1.1

!

interface GigabitEthernet0/0

ip address 10.51.231.65 255.255.255.192

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1/0

description UPLINK

no ip address

ip virtual-reassembly in

speed 1000

media-type sfp

no cdp enable

!

interface GigabitEthernet0/1/0.399

encapsulation dot1Q 399

ip address 2.2.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

!

ip nat inside source list 101 interface GigabitEthernet0/1/0.399 overload

ip route 0.0.0.0 0.0.0.0 2.2.2.254

!

access-list 101 deny   ip 10.51.231.64 0.0.0.63 10.51.0.0 0.0.255.255

access-list 101 deny   ip 10.51.231.64 0.0.0.63 172.20.0.0 0.0.255.255

access-list 101 permit ip 10.51.231.64 0.0.0.63 any

I read a few articles, but was not able to understand what goes wrong. With IP reachability all is OK.

Each subnet is present int the routing table of the opposite router. Ping and telnet within the network go without problems.

But telnet 1.1.1.1 on port 25 is interrupted due to a timeout.

Tell me, please, how can I fix it?

Labels:
0 Helpful
1 Reply 1

Black_Rabbit
Level 1
Level 1

‎12-28-2013 08:52 AM

Hi all!

I solved the problem.

Solution:

####### Router 2 #######

ip access-list extended PORT_FW

permit ip host 10.51.231.72 any

!

route-map PORT_FW permit 10

match ip address PORT_FW

set ip next-hop 172.20.100.2

!

interface GigabitEthernet0/0

ip policy route-map PORT_FW

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card