Route from VRF to GRE tunnel out a NAT'd WAN link

mtbtrailcarver · ‎12-01-2016

I've got several internal networks with overlapping IP schemes so we stuffed each into their own VRF so they could get out our 2911 router and into the outside world. We have a couple /28's and I can get everyone out onto the internet with each network's traffic NAT'd through it's own external IP.

The twist is we're using a cloud service for internet content filtering and we want to build the GRE's for that traffic off the router as well. For policy and reporting reasons the tunnels need to originate from their own external IP. I cannot seem to get the tunnels to come up and route to the destination. They show up (as up as a tunnel interface can show) but I can't ping the inside IP of the destination. So I am doing something wrong but I search as I may I can't seem to come up with a solution.

I have been at this piece for about 3 days now and can't seem to crack it. I'm posting a sketch and the relevant parts of the router's config. Anyone with suggestions or questions please chime in. As much as I've taught myself the last couple weeks it apparently isn't enough to bring it all together.

Thanks!

mtbtrailcarver · ‎12-05-2016

I actually figured this out this morning. There were two issues here.

1. When the tunnel interface needs to be in a vrf you not only need the "vrf forwarding name" command you also need the "vrf tunnel name" command. One tells the tunnel which vrf the packets are input from, the other which vrf the packets are ouput to.

2. To get the NAT to work I actually needed the "ip nat outside" on the tunnel interface as well.