Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
5
Helpful
5
Replies

GRE/IPSec Tunnel router-to-router with Private IP address assigned to WAN

mel.woodley
Level 1
Level 1

‎01-04-2003 07:29 AM - edited ‎02-21-2020 12:15 PM

I can not figure out for the life of me how to get 2 routers talking GRE/IPSec when one of the routers have been assigned a private IP address 10.252.10.68 that is being static NAT translated to a public address 81.31.XXX.XXX by the ISP upstream (next-hop) router. I have 15 other tunnels up working just fine from other ISP that did provide me with real routeable Public Internet addresses when the crypto map is applied normally to the WAN interface and Tunnel interface.

However when I try this same setup on the new router with the 10.252.10.68 address which is NAT by the ISP I can not get phase 2 to validate. I believe this is because of the IPSec not allowing the source/destination address to be changed during transmission. The router on the other side has a public address so nothing is needed there as far as I know to get this to work.

Now the only way I am able to get this to work is to create the tunnel between to the 2 routers private LAN (local LAN) interface fas0/1. But once I do this I can no longer ping or telnet to the LAN ip address.

Any ideas would be greatly apprecitated.

Labels:
0 Helpful
5 Replies 5

jasobrown
Level 1
Level 1

‎01-04-2003 08:52 AM

Make sure that you use the private address on the nat'd side for the interesting traffic (access-list 150 permit gre host private host public) as well as the tunnel destination on the other side (router with public), as well as the exact reverse on the other side (access-list 155 permit gre host public host private)

I.E - On router with public address

interface tunnel 0

ip address x.x.x.x

tunnel source (this router public)

tunnel dest (other router PRIVATE/nat'd addr)

On router with private address

interface tunnel 0

ip address x.x.x.x

tunnel source (this router private/nat'd addr)

tunnel dest (other router public)

you would also need a route for the PRIVATE address of the nat'd router on the router with the public addr (to make sure you hit the cryptomap - if you have a default only point out the public interface you wouldn't need).

make sure that you have the crypto map mapname local-address {interface terminating the crypto}

Hopefully this helps :)

Regards,

mel.woodley
Level 1
Level 1
In response to jasobrown

‎01-04-2003 09:11 AM

hmm, not familiar with the crypto map mapname local-address command. Also when you say this router private/nat'd addr do you mean the 10.252.10.68 address that the ISP is staticically translated to 81.31.101.105, or do you mean I put the 81.31.101.105. I'm assuming you mean the 81.31.101.105 since I could not put 10.252.10.68 on the other router with public address since that would not be a internet routable address.

0 Helpful

jasobrown
Level 1
Level 1
In response to mel.woodley

‎01-04-2003 09:22 AM

When I said private/nat'd addr I ment the 10.252.10.68 that is "nat'd" just make sure that your default route goes out the interface that has the crypto map applied or you have a static route for that network.

Regards,

0 Helpful

jasobrown
Level 1
Level 1
In response to jasobrown

‎01-04-2003 09:58 AM

Here is a document that should help.

http://www.cisco.com/warp/public/707/ipsecgrenat.html

Regards,

Jason Brown

CCIE#10833

0 Helpful

mel.woodley
Level 1
Level 1

‎01-09-2003 02:18 AM

Jason, thank for the info. You were right on point with using the private nat address in the access list. Everything is working. Much appreciated!!!!

0 Helpful
Customers Also Viewed These Support Documents