Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
2
Replies

GRE tunnel, web not work.

sun_sazanov
Level 1
Level 1

‎05-13-2009 01:13 AM - edited ‎03-06-2019 05:42 AM

Hi.

I have tunnel between 2 office, network services are working well. When I open the internet site, it does not work.

My config:

R1.

crypto isakmp policy 100

authentication pre-share

!

crypto isakmp key 123 address 10.10.255.2

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

!

interface Tunnel1

ip address 10.10.254.1 255.255.255.252

ip mtu 1500

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1436

ip policy route-map sety

tunnel source Serial0/0/0

tunnel destination 10.10.255.2

tunnel protection ipsec profile Pmsk

!

interface Serial0/0/0

ip address 10.10.255.1 255.255.255.252

ip mask-reply

no ip redirects

no ip unreachables

ip directed-broadcast

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map sety

!

ip route 10.10.128.0 255.255.252.0 10.10.254.2

!

ip access-list extended ForSety

deny ip host 10.10.10.41 any

deny tcp host 10.10.10.21 eq 3389 any

deny ip 10.10.101.0 0.0.0.255 any

deny ip host 10.10.10.8 any

deny ip host 10.10.10.253 any

deny ip 10.10.0.0 0.0.127.255 10.10.128.0 0.0.3.255

deny ip 10.10.0.0 0.0.127.255 10.10.132.0 0.0.3.255

deny ip 10.10.128.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.128.0 0.0.3.255 10.10.132.0 0.0.3.255

deny ip 10.10.132.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.132.0 0.0.3.255 10.10.128.0 0.0.3.255

permit ip 10.10.0.0 0.0.255.255 any

!

route-map sety permit 10

match ip address ForSety

set ip next-hop xxx.yyy.zzz.www

________________________________________________

R2

crypto isakmp policy 100

authentication pre-share

crypto isakmp key 123 address 10.10.255.1

!

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

interface Tunnel1

ip address 10.10.254.2 255.255.255.252

ip mtu 1500

ip tcp adjust-mss 1436

tunnel source Serial0/1/0

tunnel destination 10.10.255.1

tunnel protection ipsec profile Pmsk

!

interface Serial0/1/0

ip address 10.10.255.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.10.254.1

You can help me resolve this problemm?

Labels:
0 Helpful
2 Replies 2

AxiomConsulting
Level 1
Level 1

‎05-13-2009 01:59 AM

Hi,

Please ensure that your access-lists allow outbound traffic from the remote network, and also that this network is bein g NATed on your R1 router.

HTH

Steve

0 Helpful

sun_sazanov
Level 1
Level 1
In response to AxiomConsulting

‎05-13-2009 02:57 AM

Acl allow outbound traffic from remote network, and NAT enable. Ping and tracer for internet site working.

if i change:

R1

ip route 10.10.128.0 255.255.252.0 10.10.254.2

on

ip route 10.10.128.0 255.255.252.0 10.10.255.2

---------------------------------------------------------------------

R2

ip route 0.0.0.0 0.0.0.0 10.10.254.1

on

ip route 0.0.0.0 0.0.0.0 10.10.255.1

All work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card