Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
865
Views
0
Helpful
1
Replies

Port forwarding over GRE tunnels

dennis.lloyd
Level 1
Level 1

‎02-03-2016 12:02 PM - edited ‎03-08-2019 04:27 AM

Hello everyone, second attempt since my first post didn't seem to work. 

I have a strange problem I can't seem to get my head around..  I have a network with 3 locations connected with tunnels, and routing with EIGRP between the three.  Everything works inside the network without issue.  At SITE20, I have an SSL webserver hosting an application for remote users.  "ip nat inside source static" works at SITE20.   What I am trying to do is load balance (with DNS) requests to a url between SITE10, and SITE30 forwarding those requests to SITE20 over the tunnels.   I am already forwarding https at SITE20 (which works fine), hence using 10 and 30 to handle inbound requests.

I have an additional tunnel between 20 and 30, on occasion SITE10 goes down and i loose nhrp, so effectivly I have no connections to any site.  I did increase the holdtime on sites 20 and 30, perhaps that will help.

Here are my configs from each router.

SITE10

interface Tunnel0
 description mGRE - DMVPN Tunnel
 bandwidth 10000
 bandwidth inherit
 ip address 10.1.1.1 255.255.255.240
 no ip redirects
 ip nbar protocol-discovery
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 no ip split-horizon eigrp 1
 no ip mroute-cache
 qos pre-classify
 tunnel source 111.111.111.111
 tunnel mode gre multipoint
 tunnel path-mtu-discovery
 tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
 description WAN
 mac-address 0014.6987.f057
 ip address dhcp
 ip access-group BLOCK_EXT in
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "LAN"
 ip address 10.10.10.1 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
ip nat inside source static tcp 10.20.30.150 443 interface FastEthernet0/0 443
-------------
10_R1841#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
  Known via "eigrp 1", distance 170, metric 13058816, type external
  Redistributing via eigrp 1, eigrp 2
  Advertised by eigrp 2
  Last update from 10.1.1.2 on Tunnel0, 2d12h ago
  Routing Descriptor Blocks:
  * 10.1.1.2, from 10.1.1.2, 2d12h ago, via Tunnel0
      Route metric is 13058816, traffic share count is 1
      Total delay is 500110 microseconds, minimum bandwidth is 10000 Kbit
      Reliability 255/255, minimum MTU 1396 bytes
      Loading 1/255, Hops 2
-------------

SITE20

interface Tunnel0
 description R2 mGRE - DMVPN Tunnel
 bandwidth inherit
 ip address 10.1.1.2 255.255.255.240
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 10.1.1.1 111.111.111.111
 ip nhrp map multicast 111.111.111.111
 ip nhrp network-id 1
 ip nhrp holdtime 21600
 ip nhrp nhs 10.1.1.1
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel path-mtu-discovery
 tunnel protection ipsec profile protect-gre
!
interface Tunnel1
 description SECCONDARY VPN - SITE30
 bandwidth 100000
 bandwidth inherit
 ip address 10.2.1.2 255.255.255.240
 no ip redirects
 tunnel source 222.222.222.222
 tunnel destination 333.333.333.333
 tunnel path-mtu-discovery
!
interface FastEthernet0/0
 description WAN
 ip address dhcp
 ip mtu 1472
 ip flow egress
 ip pim sparse-dense-mode
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN
 ip address 10.20.10.1 255.255.255.252
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!

-----

20_R1821#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
  Known via "eigrp 2", distance 90, metric 28416, type internal
  Redistributing via nhrp, eigrp 1, eigrp 2
  Advertised by eigrp 1
  Last update from 10.20.10.2 on FastEthernet0/1, 7w0d ago
  Routing Descriptor Blocks:
  * 10.20.10.2, from 10.20.10.2, 7w0d ago, via FastEthernet0/1
      Route metric is 28416, traffic share count is 1
      Total delay is 110 microseconds, minimum bandwidth is 100000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1

----

SITE30

interface Tunnel0
 description R3 mGRE - DMVPN Tunnel
 bandwidth 5000
 bandwidth inherit
 bandwidth receive 100000
 ip address 10.1.1.3 255.255.255.240
 no ip redirects
 ip nhrp authentication firewall
 ip nhrp map multicast dynamic
 ip nhrp map 10.1.1.1 111.111.111.111
 ip nhrp map multicast 111.111.111.111
 ip nhrp network-id 1
 ip nhrp holdtime 21600
 ip nhrp nhs 10.1.1.1
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel path-mtu-discovery
 tunnel protection ipsec profile protect-gre
!
interface Tunnel1
 description SECCONDARY VPN - SITE20
 bandwidth 5000
 bandwidth inherit
 ip address 10.2.1.3 255.255.255.240
 no ip redirects
 tunnel source 333.333.333.333
 tunnel destination 222.222.222.222
 tunnel path-mtu-discovery
!
interface FastEthernet0/0
 description LAN
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/0.10
 description default-gateway VLAN
 encapsulation dot1Q 10
 ip address 10.30.10.1 255.255.255.252
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0.99
 description MGMT VLAN
 encapsulation dot1Q 99
 ip address 10.30.99.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1
 description WAN$ETH-WAN$
 mac-address 0014.bff9.c654
 ip dhcp client lease 7 0 0
 ip address dhcp
 ip access-group BLOCK_SMTP_IN in
 ip accounting output-packets
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 duplex auto
 speed auto
!
ip nat inside source static udp 10.20.30.150 443 interface FastEthernet0/1 443
-------
30_R1841#show ip route 10.20.30.150
Routing entry for 10.20.30.0/24
  Known via "eigrp 1", distance 170, metric 13314816, type external
  Redistributing via eigrp 2, eigrp 1
  Advertised by eigrp 2
  Last update from 10.2.1.2 on Tunnel1, 21:37:53 ago
  Routing Descriptor Blocks:
  * 10.2.1.2, from 10.2.1.2, 21:37:53 ago, via Tunnel1
      Route metric is 13314816, traffic share count is 1
      Total delay is 500110 microseconds, minimum bandwidth is 5000 Kbit
      Reliability 255/255, minimum MTU 1476 bytes
      Loading 1/255, Hops 2

30_R1841#
---------

Thank you for any assistance, I will also take any suggestions on how to improve my config should you see anything I've done that's not correct.

Labels:
0 Helpful
1 Reply 1

AllertGen
Level 3
Level 3

‎02-04-2016 01:00 AM

Hello, .

At your case I would try to add NAT at the SITE 20 at the tunnel interfaces with this logic:

tunnel0 and tunnel1 should be ip nat outside (because you are alsready has a inside LAN interface). After this you need add 2 lines with "ip ant outside ..." for each tunnel interface. Also I would use this NAT with route-map for only https traffic to this server.

What is logical side of this solution: You has right commands at the SITE 10 and SITE 30. But response traffic goes out directly from SITE 20 (you can check it by "sh ip nat translations" at the SITE 10 and SITE 30). So you need to change src address of the packets (taht comes from WAN) by NAT with address of tunnel interface.

Sorry that I can't show you commands because I don't have access to the lab enveroument right now.

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card