cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
1
Replies

Route from VRF to GRE tunnel out a NAT'd WAN link

mtbtrailcarver
Level 1
Level 1

I've got several internal networks with overlapping IP schemes so we stuffed each into their own VRF so they could get out our 2911 router and into the outside world. We have a couple /28's and I can get everyone out onto the internet with each network's traffic NAT'd through it's own external IP.

The twist is we're using a cloud service for internet content filtering and we want to build the GRE's for that traffic off the router as well. For policy and reporting reasons the tunnels need to originate from their own external IP. I cannot seem to get the tunnels to come up and route to the destination. They show up (as up as a tunnel interface can show) but I can't ping the inside IP of the destination. So I am doing something wrong but I search as I may I can't seem to come up with a solution.

I have been at this piece for about 3 days now and can't seem to crack it. I'm posting a sketch and the relevant parts of the router's config. Anyone with suggestions or questions please chime in. As much as I've taught myself the last couple weeks it apparently isn't enough to bring it all together.

Thanks!

1 Reply 1

mtbtrailcarver
Level 1
Level 1

I actually figured this out this morning. There were two issues here.

1. When the tunnel interface needs to be in a vrf you not only need the "vrf forwarding name" command you also need the "vrf tunnel name" command. One tells the tunnel which vrf the packets are input from, the other which vrf the packets are ouput to.

2. To get the NAT to work I actually needed the "ip nat outside" on the tunnel interface as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco