GRE tunnel, web not work.

Unanswered Question
May 13th, 2009

Hi.

I have tunnel between 2 office, network services are working well. When I open the internet site, it does not work.

My config:

R1.

crypto isakmp policy 100

authentication pre-share

!

crypto isakmp key 123 address 10.10.255.2

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

!

interface Tunnel1

ip address 10.10.254.1 255.255.255.252

ip mtu 1500

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1436

ip policy route-map sety

tunnel source Serial0/0/0

tunnel destination 10.10.255.2

tunnel protection ipsec profile Pmsk

!

interface Serial0/0/0

ip address 10.10.255.1 255.255.255.252

ip mask-reply

no ip redirects

no ip unreachables

ip directed-broadcast

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map sety

!

ip route 10.10.128.0 255.255.252.0 10.10.254.2

!

ip access-list extended ForSety

deny ip host 10.10.10.41 any

deny tcp host 10.10.10.21 eq 3389 any

deny ip 10.10.101.0 0.0.0.255 any

deny ip host 10.10.10.8 any

deny ip host 10.10.10.253 any

deny ip 10.10.0.0 0.0.127.255 10.10.128.0 0.0.3.255

deny ip 10.10.0.0 0.0.127.255 10.10.132.0 0.0.3.255

deny ip 10.10.128.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.128.0 0.0.3.255 10.10.132.0 0.0.3.255

deny ip 10.10.132.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.132.0 0.0.3.255 10.10.128.0 0.0.3.255

permit ip 10.10.0.0 0.0.255.255 any

!

route-map sety permit 10

match ip address ForSety

set ip next-hop xxx.yyy.zzz.www

________________________________________________

R2

crypto isakmp policy 100

authentication pre-share

crypto isakmp key 123 address 10.10.255.1

!

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

interface Tunnel1

ip address 10.10.254.2 255.255.255.252

ip mtu 1500

ip tcp adjust-mss 1436

tunnel source Serial0/1/0

tunnel destination 10.10.255.1

tunnel protection ipsec profile Pmsk

!

interface Serial0/1/0

ip address 10.10.255.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.10.254.1

You can help me resolve this problemm?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
AxiomConsulting Wed, 05/13/2009 - 01:59

Hi,

Please ensure that your access-lists allow outbound traffic from the remote network, and also that this network is bein g NATed on your R1 router.

HTH

Steve

sun_sazanov Wed, 05/13/2009 - 02:57

Acl allow outbound traffic from remote network, and NAT enable. Ping and tracer for internet site working.

if i change:

R1

ip route 10.10.128.0 255.255.252.0 10.10.254.2

on

ip route 10.10.128.0 255.255.252.0 10.10.255.2

---------------------------------------------------------------------

R2

ip route 0.0.0.0 0.0.0.0 10.10.254.1

on

ip route 0.0.0.0 0.0.0.0 10.10.255.1

All work.

Actions

This Discussion