Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Problem

Hello everyone,

I have done a fair amount of searching on the forums to see if there has been a similar problem/resolution but havent been successful. I hope i descibe my problem well enough but if you need more information please let me know.

My situation is this. Im trying to build a site to site GRE tunnel VPN. I have a c2811 at the Head Office, and a c1811 at the remote site. Head Office has its public IP on its WAN Interface, however the remote site has its public ip NAT'd by its service provider to a private, and its this private address which sits on the c1811 WAN interface. The Head Office 2811 has its destination endpoint for the tunnel to be the remote sites public IP, and its source as its own public IP. But here is where i believe i am having the problem. The remote site has its destination IP as Head Offices public, but its source is its NAT'd private IP, which obviously is different to Head Offices desination. Does each endpoint have to have matching source to desination IP's? Because the tunnel says via "show ip int brief" up / up however no traffic is flowing over the link, and a "show crypto session" says its down. With a "show crypto ipsec sa" on the Head Office c2811 it shows 46 send errors, 0 recieved errors, 0 received in total actually. On the remote sites c1811 it doesnt show any errors, receieved or sent.

The Head Office c2811 has other tunnels to other sites, which dont have NAT'd public IP's which work fine, and im quite confident that there are no firewall rules/acl's which would be blocking the traffic.

I apologise if i havent made myself clear enough. And thank you in advance for any input.

New Member

Re: VPN Problem

Hi Samuel

I think a way around this would be to create a NAT aware IPSEC VPN tunnel between the outside interfaces of the 2811 and 1811 first, and then create a GRE tunnel from the *inside* interfaces of your routers, which runs over the IPSEC tunnel. If you take a look at this document:

...and imagine that the pix in the diagram represents the NATting by your remote-end service provider, it would seem to be a pretty good match with your situation.



CreatePlease login to create content