Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE over IPSec - what to NAT?

Hi,

I'm trying to implement the following:

A GRE tunnel formed between a router with a PIX in front of it, with the PIX then doing VPN IPSec to another router.

I.e: router1 <-- GRE --> pix1 <-- IPSec encapsulated GRE --> router2

Without GRE, just passing normal traffic the IPSec tunnel is working as expected.

I now need to implement GRE.

My question is how will i have to alter my ACL statements so that traffic is passed over the GRE tunnel?

I have the following but it's not working...

router1:

tunnel 0

ip address 172.16.3.13 255.255.255.252

tunnel source ge0/0 (the router1 interface connecting to the pix)

tunnel destination 203.39.0.1 (the public IP of router2)

pix1:

access-list ACLVPN-TO_TEST1 extended permit ip host 172.16.3.13 host 172.16.3.14

access-list ACLNAT-NO_NAT extended permit gre host 172.16.3.13 host 172.16.3.14

router2:

tunnel 0

ip address 172.16.3.14 255.255.255.252

tunnel source dialer 1 (the router2 interface connecting to the Internet)

tunnel destination 101.101.0.1 (the public IP of pix1)

!

ip access-list extended ACLNAT-NO_NAT

deny   ip host 172.16.3.14 host 172.16.3.13

ip access-list extended ACLVPN-TO_TESTFW1

permit gre host 172.16.3.14 host 172.16.3.13

I think I'm NATing the wrong traffic or screwing up my tunnel source/destination.

Any help appreciated.

Thanks,

Everyone's tags (6)
600
Views
0
Helpful
0
Replies