Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1721 to 1721 Tunnel with GRE - not working

Hi all. I have setup a tunnel between 2x 1721s via ADSL links. The Tunnel interface is showing as up but I cannot ping the Tunnel interface IP address at each end, only the WAN port address. My configs are below and any help would be greatly appreciated.

I am trying to route IPX via the GRE tunnels. The IP address allocated to Dialer3 is static in both router's cases.

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname FNN1610023279

!

enable secret 5 $1$vfil$1eG/DsTJAHCZGriJng3Qo0

!

ip subnet-zero

!

!

no ip domain lookup

!

ip audit notify log

ip audit po max-events 100

ipx routing 000b.462d.83e9

!

!

crypto isakmp policy 45

hash md5

authentication pre-share

crypto isakmp key sa7384 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ORCHESTRA esp-des esp-md5-hmac

mode transport

!

crypto map GRE 50 ipsec-isakmp

set peer 203.55.143.17

set transform-set ORCHESTRA

match address 104

!

!

!

!

interface Loopback0

ip address 192.168.20.1 255.255.255.0

ip nat inside

!

interface Tunnel0

ip address 192.168.31.1 255.255.255.0

no ip route-cache

no ip mroute-cache

ipx network 116

tunnel source Dialer3

tunnel destination 203.55.143.17

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface ATM0.3 point-to-point

description Internet Network

pvc 1/34

ubr 128

encapsulation aal5mux ppp dialer

dialer pool-member 3

!

!

interface FastEthernet0

description FNN1610023279 LAN

ip address 203.35.19.66 255.255.255.192

ip nat inside

ip route-cache policy

ip policy route-map nonat

no keepalive

speed auto

ipx encapsulation SAP

ipx network 102

!

interface Dialer3

description Internet Network

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 3

dialer-group 1

ppp authentication chap callin

ppp chap hostname 01610023279C@KATI2001

ppp chap password 7 071C0048690A4D2C10

!

router eigrp 10

network 192.168.0.0 0.0.255.255

auto-summary

no eigrp log-neighbor-changes

!

ip nat pool ultimo 203.55.143.10 203.55.143.14 netmask 255.255.255.240

ip nat inside source list 122 pool ultimo overload

ip nat inside source static 203.35.19.66 203.55.143.1 extendable

ip nat inside source static 203.35.19.77 203.55.143.2 extendable

ip nat inside source static 192.168.20.1 203.55.143.3

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer3

ip route 10.20.0.0 255.255.0.0 203.35.19.67

ip route 192.168.21.0 255.255.255.0 Tunnel0

ip route 203.35.19.128 255.255.255.192 203.35.19.65

ip route 203.35.19.192 255.255.255.192 203.35.19.65

ip route 203.35.76.0 255.255.255.192 203.35.19.65

ip route 203.35.76.64 255.255.255.192 203.35.19.65

ip route 203.35.76.128 255.255.255.192 203.35.19.65

no ip http server

!

!

access-list 101 remark permit selected traffic

access-list 101 permit tcp any any established

access-list 101 permit udp any eq domain any eq domain

access-list 101 permit udp any eq domain any gt 1023

access-list 101 permit tcp any eq ftp-data any gt 1023

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host 203.55.143.1 eq telnet

access-list 102 remark Deny private RFC reserved IP addresses.

access-list 102 deny ip any 10.0.0.0 0.255.255.255

access-list 102 deny ip any 127.0.0.0 0.255.255.255

access-list 102 deny ip any 172.16.0.0 0.15.255.255

access-list 102 deny ip any 192.168.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 104 permit gre host 203.55.143.1 host 203.55.143.17

access-list 110 remark Ethernet Inbound

access-list 110 permit ip any any

access-list 120 remark Ethernet Outbound

access-list 120 permit ip any any

access-list 122 deny ip 203.35.0.0 0.0.255.255 200.200.0.0 0.0.255.255

access-list 122 permit ip 203.35.0.0 0.0.255.255 any

access-list 123 permit ip 203.35.0.0 0.0.255.255 200.200.0.0 0.0.255.255

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

!

!

!

route-map nonat permit 50

match ip address 123

set ip next-hop 192.168.20.2

!

Router 2

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname FNN1610023271

!

enable secret 5 $1$E.Q/$sinzkYrD2jn.tp/E0EKtt/

!

ip subnet-zero

!

!

no ip domain lookup

ip dhcp excluded-address 200.200.1.1 200.200.1.50

!

ip dhcp pool 203.35.19.64

network 200.200.1.0 255.255.255.0

default-router 200.200.1.254

dns-server 203.35.19.84 192.189.54.33

domain-name symphony.net.au

lease 0 1

!

ip audit notify log

ip audit po max-events 100

ipx routing 000b.462d.83e7

!

!

crypto isakmp policy 45

hash md5

authentication pre-share

crypto isakmp key sa7384 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set ORCHESTRA esp-des esp-md5-hmac

mode transport

!

crypto map GRE 50 ipsec-isakmp

set peer 203.55.143.1

set transform-set ORCHESTRA

match address 104

!

!

!

!

interface Loopback0

ip address 192.168.21.1 255.255.255.0

!

interface Tunnel0

ip address 192.168.31.2 255.255.255.0

ipx network 116

tunnel source Dialer3

tunnel destination 203.55.143.1

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

no fair-queue

hold-queue 224 in

!

interface ATM0.3 point-to-point

description Internet Network

pvc 1/34

ubr 128

encapsulation aal5mux ppp dialer

dialer pool-member 3

!

!

interface FastEthernet0

description FNN1610023271 LAN

ip address 200.200.1.254 255.255.0.0

ip nat inside

ip route-cache policy

ip policy route-map nonat

no keepalive

speed auto

ipx encapsulation SAP

ipx network 316

!

interface Dialer3

description Internet Network

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 3

dialer-group 1

ppp authentication chap callin

ppp chap hostname 01610023271C@KATI2001

ppp chap password 7 06351C746E56303536

!

router eigrp 10

network 192.168.0.0 0.0.255.255

auto-summary

no eigrp log-neighbor-changes

!

ip nat pool sso 203.55.143.28 203.55.143.28 netmask 255.255.255.240

ip nat inside source list 122 pool sso overload

ip nat inside source static 200.200.1.254 203.55.143.17 extendable

ip nat inside source static 200.200.1.15 203.55.143.18 extendable

ip nat inside source static 200.200.1.3 203.55.143.19 extendable

ip nat inside source static 200.200.1.5 203.55.143.20 extendable

ip nat inside source static 200.200.1.7 203.55.143.21 extendable

ip nat inside source static 200.200.1.9 203.55.143.22 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer3

ip route 192.168.1.0 255.255.255.0 200.200.1.2

ip route 203.35.19.0 255.255.255.0 203.55.143.1

no ip http server

!

!

access-list 101 remark permit selected traffic

access-list 101 permit tcp any any established

access-list 101 permit udp any eq domain any eq domain

access-list 101 permit udp any eq domain any gt 1023

access-list 101 permit tcp any eq ftp-data any gt 1023

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any host 203.55.143.17 eq telnet

access-list 102 remark Deny private RFC reserved IP addresses.

access-list 102 deny ip any 10.0.0.0 0.255.255.255

access-list 102 deny ip any 127.0.0.0 0.255.255.255

access-list 102 deny ip any 172.16.0.0 0.15.255.255

access-list 102 deny ip any 192.168.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 104 permit gre host 203.55.143.17 host 203.55.143.1

access-list 110 remark Ethernet Inbound

access-list 110 permit ip any any

access-list 120 remark Ethernet Outbound

access-list 120 permit ip any any

access-list 122 deny ip 200.200.0.0 0.0.255.255 203.35.19.64 0.0.0.63

access-list 122 permit ip 200.200.0.0 0.0.255.255 any

access-list 122 permit ip 192.168.1.0 0.0.0.255 any

access-list 123 permit ip 200.200.0.0 0.0.255.255 203.35.19.0 0.0.0.255

access-list 1001 deny FFFFFFFF 7

access-list 1001 deny FFFFFFFF 47

access-list 1001 deny FFFFFFFF A1

access-list 1001 deny FFFFFFFF 112

access-list 1001 deny FFFFFFFF 1CB

access-list 1001 deny FFFFFFFF 30C

access-list 1001 permit FFFFFFFF

access-list 1002 deny FFFFFFFF A1

access-list 1002 deny FFFFFFFF 1CB

access-list 1002 permit FFFFFFFF

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

!

!

!

route-map nonat permit 50

match ip address 123

set ip next-hop 192.168.21.2

!

All advice greatly appreciated!

Geoff

  • Other Security Subjects
3 REPLIES
New Member

Re: 1721 to 1721 Tunnel with GRE - not working

Does it work if you remove the static NAT that uses the IP address of the outside interface/GRE/IPSec source? eg:

no ip nat inside source static 203.35.19.66 203.55.143.1 extendable

no ip nat inside source static 200.200.1.254 203.55.143.17 extendable

New Member

Re: 1721 to 1721 Tunnel with GRE - not working

Thank you very much,

I can NAT to the loopback for external access and it all works fine.

Geoff

New Member

Re: 1721 to 1721 Tunnel with GRE - not working

Try applying you crypto map to the dialer interface as well as the tunnel interface

370
Views
0
Helpful
3
Replies
This widget could not be displayed.