01-04-2003 07:29 AM - edited 02-21-2020 12:15 PM
I can not figure out for the life of me how to get 2 routers talking GRE/IPSec when one of the routers have been assigned a private IP address 10.252.10.68 that is being static NAT translated to a public address 81.31.XXX.XXX by the ISP upstream (next-hop) router. I have 15 other tunnels up working just fine from other ISP that did provide me with real routeable Public Internet addresses when the crypto map is applied normally to the WAN interface and Tunnel interface.
However when I try this same setup on the new router with the 10.252.10.68 address which is NAT by the ISP I can not get phase 2 to validate. I believe this is because of the IPSec not allowing the source/destination address to be changed during transmission. The router on the other side has a public address so nothing is needed there as far as I know to get this to work.
Now the only way I am able to get this to work is to create the tunnel between to the 2 routers private LAN (local LAN) interface fas0/1. But once I do this I can no longer ping or telnet to the LAN ip address.
Any ideas would be greatly apprecitated.
01-04-2003 08:52 AM
Make sure that you use the private address on the nat'd side for the interesting traffic (access-list 150 permit gre host private host public) as well as the tunnel destination on the other side (router with public), as well as the exact reverse on the other side (access-list 155 permit gre host public host private)
I.E - On router with public address
interface tunnel 0
ip address x.x.x.x
tunnel source (this router public)
tunnel dest (other router PRIVATE/nat'd addr)
On router with private address
interface tunnel 0
ip address x.x.x.x
tunnel source (this router private/nat'd addr)
tunnel dest (other router public)
you would also need a route for the PRIVATE address of the nat'd router on the router with the public addr (to make sure you hit the cryptomap - if you have a default only point out the public interface you wouldn't need).
make sure that you have the crypto map mapname local-address {interface terminating the crypto}
Hopefully this helps :)
Regards,
01-04-2003 09:11 AM
hmm, not familiar with the crypto map mapname local-address command. Also when you say this router private/nat'd addr do you mean the 10.252.10.68 address that the ISP is staticically translated to 81.31.101.105, or do you mean I put the 81.31.101.105. I'm assuming you mean the 81.31.101.105 since I could not put 10.252.10.68 on the other router with public address since that would not be a internet routable address.
01-04-2003 09:22 AM
When I said private/nat'd addr I ment the 10.252.10.68 that is "nat'd" just make sure that your default route goes out the interface that has the crypto map applied or you have a static route for that network.
Regards,
01-04-2003 09:58 AM
Here is a document that should help.
http://www.cisco.com/warp/public/707/ipsecgrenat.html
Regards,
Jason Brown
CCIE#10833
01-09-2003 02:18 AM
Jason, thank for the info. You were right on point with using the private nat address in the access list. Everything is working. Much appreciated!!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide