Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2032
Views
0
Helpful
5
Replies

Route ports through GRE tunnel

alistairvernon
Level 1
Level 1

‎11-27-2019 10:12 AM

Hi,

I'm trying to setup a GRE tunnel to Netsweeper so I can filter ports 80,8080,443 and 9443. I have managed to create the GRE tunnel and successfully ping Netsweeper end of the tunnel. But for the life of me I cannot get ports 80, 8080,443 and 9443 to route down the GRE tunnel. Please could somebody take a look at my running config and point me in the right direction. 

Any help would be appreciated. 

 

Thank you.


R1#show run
Building configuration...

Current configuration : 4246 bytes
!
! Last configuration change at 15:26:44 UTC Wed Nov 27 2019 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 ******
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
ip domain name r1.hayfield.local
ipv6 multicast rpf use-bgp
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2080598478
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2080598478
revocation-check none
rsakeypair TP-self-signed-2080598478
!
!
crypto pki certificate chain TP-self-signed-2080598478
certificate self-signed 01

quit
license udi pid CISCO1941/K9 sn FCZ16337H79
!
!
username admin password 0 ****
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
!
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.0.173 255.255.255.252
tunnel source 10.5.82.1
tunnel destination 67.207.69.49
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Lan Port
ip address 10.5.82.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map USE-GRE
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname *******
ppp chap password 0 *******
ppp ipcp route default
!
!
router eigrp 1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NETSWEEPER
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 9443
permit tcp any any eq 8080
!
dialer-list 1 protocol ip permit
!
route-map USE-GRE permit 10
match ip address NETSWEEPER
set ip next-hop 172.16.0.173
!
!
access-list 1 permit 10.5.82.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
password ****
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0
password ****
transport input all
line vty 1 4
transport input all
!
scheduler allocate 20000 1000
!
end

 

Labels:
0 Helpful
5 Replies 5

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎11-27-2019 10:30 AM

@alistairvernon 

 

Maybe change default route?

 

ip route 0.0.0.0 0.0.0.0 tunnel0

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎11-27-2019 10:54 AM

 

Shouldn't the PBR next hop IP be 172.16.0.174 ?

 

Jon

0 Helpful

alistairvernon
Level 1
Level 1
In response to Jon Marshall

‎11-27-2019 11:45 AM

Hi Jon,

Yes I would have thought so, but if I change the next hop to 172.16.0.174 I loose access to web pages, so I guess I am routing traffic but it looks like I'm not getting data back. Hmmm....

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to alistairvernon

‎11-27-2019 11:53 AM

 

Does the GRE tunnel terminate on the Netsweeper device ?

 

How do you make sure traffic on that device is returned via the tunnel ie. you use PBR on this end. 

 

Not used Netsweepers so not sure how it is meant to work.

 

Jon

0 Helpful

alistairvernon
Level 1
Level 1
In response to Jon Marshall

‎11-27-2019 12:02 PM

Yes the GRE tunnel terminates at Netsweeper, they in-turn filter the traffic (for schools etc.). So essentially the GRE tunnel is the schools connection to the internet as the kids only really look at http and https traffic.

So maybe I do need a PBR for inbound traffic, but what would it look like please? I last used Cisco routers 8 years ago and Netsweeper are being no use what so ever.

0 Helpful
Customers Also Viewed These Support Documents