Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
3
Replies

Tunnel down Gre over ipsec

ardian.sinani
Level 1
Level 1

‎04-12-2008 04:48 AM - edited ‎02-21-2020 03:40 PM

I've created an ipsec between two Pix515E. One interface of Pix1 is nated in public ip address from the outside router R1. In pix1 interface VPN i have placed the router R2 for creating the GRE. Ipsec is up but GRE is down. On the other side is Pix2 with interface outside with public ip address. In one its interface VPN2 is router R3 for GRE. In router R1 there is no access list for deny. Routers versions are 12.4. Pix1 version 7.04 and pix2 version 6.3. Can anyone give any suggestion??? Somebody said that i should allow in R1 the traffic between two loopbacks for GRE. I don't know how?

Labels:
0 Helpful
3 Replies 3

andrew.prince
Level 10
Level 10

‎04-12-2008 07:08 AM

Try this

Router 1:-

Interface loopback0

ip address 192.168.1.1 255.255.255.255 or similar IP range

!

Interface tunnel 1

ip address 172.16.1.1 255.255.255.252 or similar IP range

tunnel source loopback0

tunnel destination 192.168.1.2

!

ip route 192.168.1.2 255.255.255.255 <>

Firewall 1:-

access-list vpn-R2 extended permit ip host 192.168.1.1 host 192.168.1.2

route outside 192.168.1.2 255.255.255.255 <>

crypto map <> <> match address vpn-R2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Router 2:-

Interface loopback0

ip address 192.168.1.2 255.255.255.255 or similar IP range

!

Interface tunnel 1

ip address 172.16.1.2 255.255.255.252 or similar IP range

tunnel source loopback0

tunnel destination 192.168.1.1

!

ip route 192.168.1.1 255.255.255.255 <>

Firewall 1:-

access-list vpn-R1 extended permit ip host 192.168.1.2 host 192.168.1.1

route outside 192.168.1.1 255.255.255.255 <>

crypto map <> <> match address vpn-R1

HTH

0 Helpful

ardian.sinani
Level 1
Level 1
In response to andrew.prince

‎04-13-2008 07:33 AM

Hi Andrew

Have a look to the schema. R2(GRE)-> Pix1(IpSec) -> R1 (Nat) -- /\Internet\/ -- Pix2(Ipsec) -> R3 (GRE). The private ip add of Pix1 is nated from R1 to the public ip add. But i can not receive any request for ESP . I receive only for udp500 and udp 4500. I've heard in one forum that the router R1 can not nat ESP, but only tcp and udp and as a result this schema is not valuable. I must place the interface of Pix1 directly on internet without natting the ip address. Have a look of this and tell me if those are true???

0 Helpful

andrew.prince
Level 10
Level 10
In response to ardian.sinani

‎04-13-2008 08:31 AM

Routers did have issues natting ESP. However you can configure IPSEC NAT Transparency on your router, with ver 12.2T:-

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html

However I think it is always good practise to have the firewall outside interface directly connected to the internet, it makes things easier in the topology and troubleshooting.

HTH.

0 Helpful
Customers Also Viewed These Support Documents