Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GRE Tunnel Issue through Firewall

Hi everyone, I've got an issue with a NAT'ing issue, which is not allowing my GRE tunnel to establish over the internet.

The basic run down is that Site 1 has a /29 subnet (assigned by IANA).

Site 2 has a static IP assigned to the BGAN profile.

Basic run down of the topology is as follows:

Site 1:

----------

Internet GRE Router --> GRE Router --> Firewall (Nat Enabled) --> Internet Modem

Site 2:

----------

BGAN Terminal --> Firewall --> IGRE Router

Originally I had the BGAN set to router mode which put the BGAN's local interface on a 172.168.200.0/30 network with the external/IANA IP address located on the terminal itself. This wouldn't have worked because you can't (from my understanding) NAT a private address to a private address i.e.... 192.168.0.0 /29 address to a 172.168.200.0/30 address.

I then configured the BGAN in modem mode, which dhcp'd the external IP address to the firewall's external interface.

So now the remote site /Site 2 looks like below:

Gateway/BGAN's IP: 216.x.x.42/30)

Ext Interface on firewall (216.x.x.43/30)

Int Interface on firewall (192.168.0.25/29)

F0/0 on GRE Router (192.168.0.26/29)

F0/1 on Gre Router (192.168.0.33/29)

Encryption Device (192.168.0.34/29)

Site 1 looks like this (The central hub)

Internet Modem: 217.x.x.249/29

Ext Firewall: 217.x.x.250/29

Int Firewall: 192.168.1.57 /29

F0/0 on GRE Router: 192.168.1.58/29 (Secondary of 217.x.x.254)

F0/1 on GRE Router: 217.x.x.250/30

F0/1 on IGRE Router: (217.x.x.249/30

F0/0 on IGRE Router: (192.168.1.65/29)

Encryption Device (192.168.1.66/29)

I have the GRE router at Site 1 establishing a tunnel to Site 3 (Which isn't documented here because its working) which is a DMR/Point to Point link. This setup is easy as it's not going through the internet, but through a private satellite setup.

I have the IGRE router at Site 1 establishing a tunnel to Site 3 also, which is the alternate link via the internet. Site 3's IGRE router has an external/IANA assigned IP address to its (firewall facing interface), which allows the alternate tunnel to come up with ease.

I.E... the alternate tunnel source on Site 1 is its next hop address .250 (that of the GRE Router)

        the alternate tunnel destination is the IANA address on site 3's (Firewall facing interface).

        the opposite is configured on Site 3's IGRE router.

The tunnel just works (with a bit of NAT'ing configured on the Site 1 IGRE Router, and NAT enabled on the Site 1&3's Firewall.

The question I have is how do I configure Site 2 to be able to communicate and bring up a 2nd tunnel on Site 1's IGRE router? I believe it's a massive NAT juggling game since Site 2 only has one usable IANA external IP address. The NAT for site 2's firewall is explained below, but unsure on how to go about configuring NAT on the IGRE router.

Rules Firewall Site 1

------------------------------

GRE INBOUND: Allow all GRE traffic, from external address 216.x.x.43 NAT'd with itself, destined for the external address of 217.x.x.250, then had it port redirected to the GRE routers address of .59

                        Allow all GRE traffic, from external address (site 3's IGRE firewall facing interface IP), NAT'd with itself, destined for the external address of 217.x.x.250, then port redirected to the GRE routers address of .59.

As you can see, the rules are the same for both locations.

GRE OUTBOUND: Allow all GRE traffic, from internal address 192.168.1.59 NAT'd with the external interface of the firewall, destined for the external address of 216.x.x.43.

GRE SITE 3 OUTBOUND: Allow all GRE traffic, from internal address 192.168.1.59 NAT'd with the external interface of the firewall, destined for the external address of SITE 3's IGRE firewall facing interface.

As you can see the rules are the same for both locations, only difference is the SITE Destination.

Rules Firewall Site 2

-------------------------------

Exactly the same as the 3 rules above, but the source and destination addresses are the opposite. and the GRE SITE 3 OUTBOUND rule doesn't exist due to the first 2 covering the GRE IN/OUTBOUND for the single location.

I would have added the 3rd rule in the event that I needed to establish two tunnels on SITE 2's IGRE Router.

The GRE Router at site 1 has a static nat inbound route : 217.x.x.249 /29 192.168.1.59. This is how the traffic passes through to the IGRE Router. ip nat outbound is configured on the F0/0 interface and the ip nat inbound command is configured on the F0/1 of the GRE Router. Two way communcation between site 3 occurs and the tunnel stands up.

My question is, how do I configure NAT both on the firewall at SITE 2 as well as on the IGRE router to establish the 2nd tunnel to Site 1's IGRE Router?

Also, what would the Source and Destination addresses be for the Tunnel interface at Site 2?

I currently have the Source IP address as 216.x.x.43

                            Destination IP address of 217.x.x.250 (This is based on the existing internet tunnel which is up between site 1 and 3).

I hope this makes sense, and really hope someone has a solution.

*Limitations is that I can only have one static IP assigned per profile on the BGAN, so acquiring more static IP's to configure the IGRE router with one is out of the question.

*Putting the IGRE router in front of the firewall at Site 2 is out of the question also as it's against our strict security policy.

If anybody can come up with an ingenius solution, please assist as I'm running out of ideas on how I can get this network to function.

Thank you in advance,

Andrew.

  • LAN Switching and Routing
1211
Views
0
Helpful
0
Replies
This widget could not be displayed.