Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE tunnel, web not work.

Hi.

I have tunnel between 2 office, network services are working well. When I open the internet site, it does not work.

My config:

R1.

crypto isakmp policy 100

authentication pre-share

!

crypto isakmp key 123 address 10.10.255.2

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

!

interface Tunnel1

ip address 10.10.254.1 255.255.255.252

ip mtu 1500

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1436

ip policy route-map sety

tunnel source Serial0/0/0

tunnel destination 10.10.255.2

tunnel protection ipsec profile Pmsk

!

interface Serial0/0/0

ip address 10.10.255.1 255.255.255.252

ip mask-reply

no ip redirects

no ip unreachables

ip directed-broadcast

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map sety

!

ip route 10.10.128.0 255.255.252.0 10.10.254.2

!

ip access-list extended ForSety

deny ip host 10.10.10.41 any

deny tcp host 10.10.10.21 eq 3389 any

deny ip 10.10.101.0 0.0.0.255 any

deny ip host 10.10.10.8 any

deny ip host 10.10.10.253 any

deny ip 10.10.0.0 0.0.127.255 10.10.128.0 0.0.3.255

deny ip 10.10.0.0 0.0.127.255 10.10.132.0 0.0.3.255

deny ip 10.10.128.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.128.0 0.0.3.255 10.10.132.0 0.0.3.255

deny ip 10.10.132.0 0.0.3.255 10.10.0.0 0.0.127.255

deny ip 10.10.132.0 0.0.3.255 10.10.128.0 0.0.3.255

permit ip 10.10.0.0 0.0.255.255 any

!

route-map sety permit 10

match ip address ForSety

set ip next-hop xxx.yyy.zzz.www

________________________________________________

R2

crypto isakmp policy 100

authentication pre-share

crypto isakmp key 123 address 10.10.255.1

!

!

crypto ipsec transform-set msk esp-aes esp-sha-hmac

!

crypto ipsec profile Pmsk

set transform-set msk

!

interface Tunnel1

ip address 10.10.254.2 255.255.255.252

ip mtu 1500

ip tcp adjust-mss 1436

tunnel source Serial0/1/0

tunnel destination 10.10.255.1

tunnel protection ipsec profile Pmsk

!

interface Serial0/1/0

ip address 10.10.255.2 255.255.255.252

!

ip route 0.0.0.0 0.0.0.0 10.10.254.1

You can help me resolve this problemm?

2 REPLIES
New Member

Re: GRE tunnel, web not work.

Hi,

Please ensure that your access-lists allow outbound traffic from the remote network, and also that this network is bein g NATed on your R1 router.

HTH

Steve

New Member

Re: GRE tunnel, web not work.

Acl allow outbound traffic from remote network, and NAT enable. Ping and tracer for internet site working.

if i change:

R1

ip route 10.10.128.0 255.255.252.0 10.10.254.2

on

ip route 10.10.128.0 255.255.252.0 10.10.255.2

---------------------------------------------------------------------

R2

ip route 0.0.0.0 0.0.0.0 10.10.254.1

on

ip route 0.0.0.0 0.0.0.0 10.10.255.1

All work.

216
Views
0
Helpful
2
Replies