Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4327
Views
0
Helpful
3
Replies

GRE Tunnel through NAT

jrichterkessing
Level 1
Level 1

‎08-30-2010 07:07 PM

I am attempting to build a GRE tunnel running over IPSEC through a NAT device, exposing my hub router with

a static NAT address. The ISAKMP SA appears to go QM_IDLE for a little while but then the tunnel building process starts again and it goes to a MM_NO_STATE while another session goes to QM_IDLE. The EIGRP neighbor never comes up. This works over the internet to this same public IP address, but not over this MPLS network via the static-NATted address. I think I am missing something really simple but can't put my finger on it.

Hub Router has a public IP address that I am NATting to a 10.52.254.192 address to expose it on to a MPLS network, the NAT device is a Checkpoint firewall. The "spoke" router has a private address that is routable from end to end. Below are my configs:

**********************************SPOKE ROUTER***************************************************

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 36000


crypto isakmp key <KEY> address 10.52.254.192

interface Tunnel3
bandwidth 1544
ip address 10.48.3.3 255.255.255.0
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication GMACI
ip nhrp map multicast 10.52.254.192
ip nhrp map 10.48.1.1 10.52.254.192
ip nhrp map 10.48.3.1 10.52.254.192
ip nhrp network-id 48003
ip nhrp holdtime 360
ip nhrp nhs 10.48.2.1
ip nhrp cache non-authoritative
delay 1000
shutdown
qos pre-classify
tunnel source GigabitEthernet0/1.500
tunnel destination 10.52.254.192
tunnel key 48003
tunnel protection ipsec profile vpnprof1

interface GigabitEthernet0/1.500
encapsulation dot1Q 500
ip address 10.30.20.254 255.255.255.0

*******************************HUB ROUTER*********************

crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 36000

crypto isakmp key <KEY> address 10.30.20.254

interface Tunnel3
bandwidth 45000
ip address 10.48.3.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication GMACI
ip nhrp map multicast dynamic
ip nhrp network-id 48003
ip nhrp holdtime 360
ip nhrp server-only
no ip split-horizon eigrp 1
delay 1000
qos pre-classify
tunnel source FastEthernet0/1

tunnel mode gre multipoint
tunnel key 48003
tunnel protection ipsec profile vpnprof1
hold-queue 4096 in
ip rsvp bandwidth 20000 1500

interface FastEthernet0/1

*****THIS ADDRESSES HAS A STATIC NAT AT FW TO 10.52.254.192***********
ip address <PUBLIC-ADDR> 255.255.255.0
crypto map VDM_CMAP_0
hold-queue 1500 in
ip rsvp bandwidth 20000 1500

Labels:
0 Helpful
3 Replies 3

lawchung
Cisco Employee
Cisco Employee

‎08-31-2010 09:47 AM

I see one typo under your spoke configuration.

ip nhrp nhs 10.48.2.1

It should be 'ip nhrp nhs 10.48.3.1'.

0 Helpful

manish arora
Level 6
Level 6
In response to lawchung

‎08-31-2010 02:43 PM

As far as i understand , you are doing ipsec encapsulation before you do the nat , so NAT is actually modifying your ip packet and it would fail when it reaches the recipent on the far end. here's a good explantion from cisco on NAT IMPACT on IPSec :-

http://www.cisco.com/web/about/ac123/ac147/ac174/ac182/about_cisco_ipj_archive_article09186a00800c83ec.html

Thanks

Manish

0 Helpful

jrichterkessing
Level 1
Level 1
In response to manish arora

‎09-01-2010 05:40 AM

Thanks to both of you for your help.

I fixed my typo and took IPSEC off and it is working fine now. This is going accross an MPLS network so encryption really is not needed.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents