Prev: PIX 501 LAN Ports
Next: FS CISCO WIC 1T Modules
From: News Reader on 5 May 2008 13:52
Elia Spadoni wrote:
> Hello
>
> here are more data.
>
>
> C2611 router - atm0/0.1 public wan ex 77.xx.xx.26
> eth0/0 lan 192.168.2.254
>
>
> interface Tunnel1
> ip address 10.0.0.2 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> keepalive 10 3
> tunnel source ATM0/0.1
> tunnel destination 77.xx.xx.238
> tunnel checksum
> tunnel path-mtu-discovery
>
>
> HQ:
>
> C2650 - edge router - has on it a /29 IP Range
> atm0/0.1 wan 77.xx.xx.162
> fast0/0 dmz net 172.16.0.11
> loopback0 /29 range of IP 77.xx.xx.233/29
> There is a static nat to 77..xx.xx.238 -> 172.16.0.10
>
>
> C3620
>
> eth1/0 172.16.0.10 (default route 172.16.0.11)
> eth1/1 192.168.1.254
>
> Here are the confs:
>
> interface Tunnel1
> ip address 10.0.0.1 255.255.255.252
> ip mtu 1400
> ip tcp adjust-mss 1360
> keepalive 10 3
> tunnel source Ethernet1/0
> tunnel destination 77.xx.xx.26
> tunnel checksum
> tunnel path-mtu-discovery
>

The additional info was helpful, however you didn't clarify which
interfaces on the 2650 are being used for NAT. Presumably, atm0/0.1 is
your outside NAT interface. Are both F0/0 and Loopback0 NAT inside
interfaces? If F0/0 is not a NAT inside interface, I'll have to assume
you are taking necessary steps to policy route the GRE tunnel through a
NAT inside interface (Loopback0 ?). Presumably, crypto maps are applied
on the atm0/0.1 interfaces of the 2650 and 2611.

The following list is as much for my benefit, as yours. It might help
identify any misconceptions, or configuration deficiencies.

Advertising routes on the 3620 Tunnel 0 interface.

Advertisements are sent via the tunnel source interface (3620 e1/0,
172.16.0.10), encapsulated in GRE.

A static route to the tunnel destination (2611 atm0/0.1, 77.xx.xx.26) is
desirable on the 3620 to address recursive routing issues.

ip route 77.xx.xx.26 255.255.255.255 172.16.0.11 2

Note: I have never NAT'd a GRE tunnel. I assume it can be done, but have
never proven it.

If f0/0 on the 2650 is a NAT inside interface, the source IP
(172.16.0.10) in the GRE header is NAT'd (to 77.xx.xx.238) before crypto
is applied on atm0/0.1 of the 2650.

If f0/0 on the 2650 is NOT a NAT inside interface, I assume Loopback0
is, and that you have taken steps to policy route the GRE tunnel through
Loopback0 to receive NAT treatment on the GRE header.

The GRE tunnel is further encapsulated due to the crypto map (permit gre
host 77.xx.xx.238 host 77.xx.xx.26) assumed to exist on atm0/0.1 of the
2650.

The 2611 receives the packet(s) on atm0/0.1, de-encapsulates IPSec,
de-encapsulates GRE, and processes the original packet(s).


Now for the other side:

Advertising routes on the 2611 Tunnel 0 interface.

Advertisements are sent via the tunnel source interface (2611 atm0/0.1,
77.xx.xx.26), encapsulated in GRE.

Due to NAT at the other side, the 2611 would be configured with the
3620's e1/0 NAT'd, globally routeable IP as the tunnel destination.

A static route to the tunnel destination (3620 e1/0, 77.xx.xx.238) is
desirable on the 2611 to address recursive routing issues.

ip route 77.xx.xx.238 255.255.255.255 <2611's-next-hop-WAN-router-ip> 2

The GRE tunnel is further encapsulated due to the crypto map (permit gre
host 77.xx.xx.26 host 77.xx.xx.238) assumed to exist on atm0/0.1 of the
2611.

The 2650 receives the packet(s) on atm0/0.1, de-encapsulates IPSec, NATs
the destination IP (77.xx.xx.238) in the GRE header (to 172.16.0.10),
then forwards it out f0/0 on the 2650.

The 3620 receives the packet(s) on e1/0, de-encapsulates GRE, and
processes the original packet(s).


You might consider "temporarily" removing "tunnel checksum" from the
tunnel interface configuration until you get the tunnel to come up. I
think it provides integrity checking for passenger protocols, and will
drop corrupted packets. If tunnel packets were being dropped currently,
I'm note sure what method you would be using to gain visibility into the
drops. You could re-introduce the command later.

Best Regards,
News Reader
 | 
Pages: 1
Prev: PIX 501 LAN Ports
Next: FS CISCO WIC 1T Modules