Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Tunnel wont come up unless outside nat int is denied

When setting up a nat we did have problems with the GRE tunnel coming up in an 861.  Below is the config before it was working.

interface Tunnel16

description TUNNEL_TO_HQ

ip address 10.1.1.1 255.255.255.252

ip mtu 1400

ip tcp adjust-mss 1360

keepalive 10 3

tunnel source X.X.X.X

tunnel destination Y.Y.Y.Y

ip nat inside source list NAT_INTERFACE interface FastEthernet4 overload

ip nat inside source static tcp X.X.X.X 22 interface FastEthernet4 22

ip nat inside source static tcp X.X.X.X 23 interface FastEthernet4 23

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip route 10.0.0.0 255.0.0.0 Tunnel16

ip route 172.16.0.0 255.255.0.0 Tunnel16

ip route 192.168.0.0 255.255.0.0 Tunnel16

!

ip access-list extended NAT_INTERFACE

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

deny   ip any 192.168.0.0 0.0.255.255

permit ip any any

The above config would work on every 861 router we tried that was below 15.0  We applied the above config to a 15. router and the tunnel would always stay up/down.

We ended up entering the below statement in the access which fixed the problem.

ip access-list extended NAT_INTERFACE

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip host X.X.X.X any  **This is the outside interface address

permit ip any any

I'm unsure why this is nessasary and why it ended up working.

146
Views
0
Helpful
0
Replies
CreatePlease to create content