cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1848
Views
0
Helpful
9
Replies

help with ACLs and GRE Tunnel

usuario0001
Level 1
Level 1

I have a site-to-site VPN with a GRE Tunnel between two sites and two Cisco 2811.

There are 2 groups of PCs from local site, one of them must connect to several servers from remote site

via Internet connection and the other group of PCs via Gre Tunnel, is it possible? Is it possible that

a server can connect via Internet to some PCs and via Gre Tunnel to other PCs?

Servers from remote site have public IP adressess.

These are the current configurations and I have to change them in order to get what I have explained:

Remote router:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 123456 address xxx.xxx.xxx.xxx

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map IPSEC_VPN 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 101

!

interface Tunnel1

ip address 10.1.1.1 255.255.255.252

ip access-group 10 out

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel source Vlan1

tunnel destination xxx.xxx.xxx.xxx

crypto map IPSEC_VPN

!

!

interface Vlan1

ip address aaa.aaa.aaa.1 255.255.252.0

ip nat outside

ip virtual-reassembly

crypto map IPSEC_VPN

!

ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa

ip route 192.168.3.0 255.255.255.0 10.1.1.2

!

ip nat inside source static 192.168.3.2 aaa.aaa.aaa.2

!

access-list 10 permit aaa.aaa.aaa.2

access-list 10 permit aaa.aaa.aaa.3

access-list 10 permit aaa.aaa.aaa.4

access-list 10 permit aaa.aaa.aaa.5

access-list 10 permit aaa.aaa.aaa.6

!

access-list 101 permit gre host aaa.aaa.aaa.1 host xxx.xxx.xxx.xxx

Local router:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 123456 address aaa.aaa.aaa.1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map IPSEC_VPN 1 ipsec-isakmp

set peer aaa.aaa.aaa.1

set transform-set ESP-3DES-SHA

match address 101

!

interface Tunnel1

ip address 10.1.1.2 255.255.255.252

ip access-group 16 out

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination aaa.aaa.aaa.1

crypto map IPSEC_VPN

!

!

interface FastEthernet0/0

description Connection to VLAN 302

ip address xxx.xxx.xxx.xxx 255.255.255.252

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN

!

interface FastEthernet0/1

description Local LAN

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 ddd.ddd.ddd.ddd

ip route aaa.aaa.aaa.0 255.255.252.0 10.1.1.1

!

!

ip http server

no ip http secure-server

ip nat inside source list 5 interface FastEthernet0/0 overload

!

access-list 5 permit 192.168.3.2

access-list 5 permit 192.168.3.3

access-list 5 permit 192.168.3.4

access-list 5 permit 192.168.3.5

access-list 5 permit 192.168.3.6

access-list 5 permit 192.168.3.7

access-list 16 deny 192.168.3.4

access-list 16 deny 192.168.3.5

access-list 16 deny 192.168.3.6

access-list 16 deny 192.168.3.7

access-list 16 permit any

access-list 101 permit gre host xxx.xxx.xxx.xxx host aaa.aaa.aaa.1

Thanks in advance

Regards

3 Accepted Solutions

Accepted Solutions

ktwaddell
Level 1
Level 1

Hi

Have you considered using policy base routing here, that way you can use the ACL's and point each ACL for 2 different routes!

Kev

View solution in original post

Peter Paluch
Cisco Employee
Cisco Employee

Hi,

I am not going to suggest a particular configuration example right now but only an overview of how it could be done.

I assume that the PCs use a single gateway, and also, that the servers use a single gateway. If it is so then it is the routing table that decides where to forward each packet. One possible solution would be to enter host routes (entries about individual IP addresses with /32 mask) into the routing table so that some entries point to the internet while others point to the tunnel. If the groups of PCs are summarizable using a single subnet then it would be even more efficient, as it would require less entries in the routing table.

Another way to do this would be by using Policy Based Routing.

Best regards,

Peter

View solution in original post

Hello,

Yes, you are right, the command is on the remote site while the network 192.168.3.0/24 is on the local site.

I do not know for sure what was the intention of the person that configured this, but presently, it works as follows:

On the local router, you can see that there is a static routing entry saying "ip route aaa.aaa.aaa.0 255.255.252.0 10.1.1.1". So, when also your local network wants to reach aaa.aaa.aaa.0/22 it will get forwarded to the other site. Now imagine that the machine 192.168.3.2 in your local network wanted to talk to workstation aaa.aaa.aaa.x/22 on the remote site. The packet will be tunelled to the remote router and now, because the Tunnel interface is configured as NAT inside and Vlan1 as NAT outside, this particular workstation will be NATted as aaa.aaa.aaa.2.

In other words, if the 192.168.3.2 communicates with the network aaa.aaa.aaa.0/22, it will be translated to aaa.aaa.aaa.2. For machines on the remote location, it will appear as a node in their own network.

For other traffic directions, this NAT does not apply.

Best regards,

Peter

View solution in original post

9 Replies 9

ktwaddell
Level 1
Level 1

Hi

Have you considered using policy base routing here, that way you can use the ACL's and point each ACL for 2 different routes!

Kev

Kev,

If the only key to decide about the packet's route is the destination address then I think that using PBR is somewhat of an overshoot. It would certainly work but you can achieve the same thing simply by entering proper entries into a routing table (which is CEF-switched - the PBR is probably not).

Best regards,

Peter

EDIT: I stand corrected about the CEF. Since IOS 12.0, the PBR is supported in the CEF switching path.

Peter,

If the packet route is the single key factor then yes PBR is a bit over the top, the simply design is normally the best.

Cheers

Kev

Peter Paluch
Cisco Employee
Cisco Employee

Hi,

I am not going to suggest a particular configuration example right now but only an overview of how it could be done.

I assume that the PCs use a single gateway, and also, that the servers use a single gateway. If it is so then it is the routing table that decides where to forward each packet. One possible solution would be to enter host routes (entries about individual IP addresses with /32 mask) into the routing table so that some entries point to the internet while others point to the tunnel. If the groups of PCs are summarizable using a single subnet then it would be even more efficient, as it would require less entries in the routing table.

Another way to do this would be by using Policy Based Routing.

Best regards,

Peter

Ok, I will try to add entries in the routing table.

Just a last question, what are this two

commands? I know the second one is to permit IP address aaa.aaa.aaa.1 to access the GRE Tunnel, but what about the first one?

!

ip nat inside source static 192.168.3.2 aaa.aaa.aaa.1

!

access-list 10 permit aaa.aaa.aaa.1

Thanks and regards

Hello,

The first command creates a static NAT translation entry for inside address 192.168.3.2 and maps it to aaa.aaa.aaa.1. So, if that station talks to outside world, it appears as aaa.aaa.aaa.1, and vice versa, if the outside world sends a packet to aaa.aaa.aaa.1, it will be translated and sent to 192.168.3.2.

Best regards,

Peter

But, this command is in the remote router and the PC with this address 192.168.3.2 is in local site, so if this PC talks to outside world doesn't goes through remote router to translate its direcction, just goes through the local router, doesn't it?

thanks

Hello,

Yes, you are right, the command is on the remote site while the network 192.168.3.0/24 is on the local site.

I do not know for sure what was the intention of the person that configured this, but presently, it works as follows:

On the local router, you can see that there is a static routing entry saying "ip route aaa.aaa.aaa.0 255.255.252.0 10.1.1.1". So, when also your local network wants to reach aaa.aaa.aaa.0/22 it will get forwarded to the other site. Now imagine that the machine 192.168.3.2 in your local network wanted to talk to workstation aaa.aaa.aaa.x/22 on the remote site. The packet will be tunelled to the remote router and now, because the Tunnel interface is configured as NAT inside and Vlan1 as NAT outside, this particular workstation will be NATted as aaa.aaa.aaa.2.

In other words, if the 192.168.3.2 communicates with the network aaa.aaa.aaa.0/22, it will be translated to aaa.aaa.aaa.2. For machines on the remote location, it will appear as a node in their own network.

For other traffic directions, this NAT does not apply.

Best regards,

Peter

Now I understand it.

Thank you for your help.

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco