Hi Guys,

I have an interesting situation here I'm having trouble testing in a lab.

I have a external network directly connected to my core network. Due to physical connectivity constraints I cannot physically connect the external network to the DMZ. I require the external network traffic to terminate in the DMZ however it will need to traverse the core network infrastructure to reach it. The external network must not be able to gain direct access to services on the core network.

I've devised a theoretical solution that I'm testing (with no success). The solution sees a GRE tunnel built between the external network and a router on the edge of the internal network (see attached diagram). Using PBR, the tunnel end device then pushes all traffic sourced from the external network through the firewall (into the DMZ).

So the tunnel is up and the routing is in place. I can ping one end of the tunnel to the other. I cannot ping from an external host to the dmz. Doign a packet capture I see the traffic go from the internal router, all the way to the external router and then go no where. As I'm pinigng the external facing interface of the external router I cant see it being a routing issue. There is no ative firewall in place so I'm nto sure waht the problem is.

I've attached the config of the both the tunnel endpoints. R1 is the external router (192.168 is the external network) and R4 is the internal router. R5 is the DMZ firewall (its just a router).

I'm nto really looking for a config fix, rather proof that this concept works. If anyone can replicate it and share the config that'd be just as helpful. Also happy to entertain any alternate design considerations.

TIA

Rgds

Scott

GRE_R4#sho run
Building configuration...

Current configuration : 1141 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GRE_R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface Tunnel0
ip address 100.0.0.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
!
interface FastEthernet0/0
ip address 4.4.4.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.16.96.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.5
ip route 0.0.0.0 0.0.0.0 4.4.4.1
ip route 1.1.1.1 255.255.255.255 2.2.2.1
ip route 1.1.1.1 255.255.255.255 4.4.4.1
ip route 100.0.0.1 255.255.255.255 2.2.2.5
ip route 100.0.0.1 255.255.255.255 4.4.4.1
ip route 192.168.0.0 255.255.0.0 Tunnel0
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

GRE_R1#sho run
Building configuration...

Current configuration : 1047 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GRE_R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface Tunnel0
ip address 100.0.0.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.13.11 255.255.255.0 secondary
ip address 192.168.13.10 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 2.2.2.2 255.255.255.255 1.1.1.2
ip route 100.0.0.2 255.255.255.255 1.1.1.2
!
!
no ip http server
no ip http secure-server
!
no cdp run
!
!
!
control-plane

!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

GRE_R1#