Thursday, September 20, 2012

GRE Tunnels with NAT Overload CISCO


************************************************************************
SITE1#show run
!
interface Tunnel0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 tunnel source 209.165.0.2
 tunnel destination 209.165.1.2
!
interface FastEthernet0/0
 description ISP LINK
 ip address 209.165.0.2 255.255.255.224
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0/0
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary
!
ip nat inside source list ALLOWED_NAT_ADDRESSES interface FastEthernet0/0 overload
ip classless
ip route 172.16.1.0 255.255.255.0 Tunnel0
ip route 209.165.1.0 255.255.255.224 209.165.0.1
no ip http server
ip pim bidir-enable
!
!
ip access-list standard ALLOWED_NAT_ADDRESSES
 permit 192.168.1.0 0.0.0.255
 permit 172.16.1.0 0.0.0.255
!

************************************************************************
SITE2#show run
!
interface Tunnel0
 ip address 172.16.1.2 255.255.255.0
 ip nat inside
 tunnel source 209.165.1.2
 tunnel destination 209.165.0.2
!
interface FastEthernet0/0
 ip address 209.165.1.2 255.255.255.224
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
router rip
 version 2
 redistribute static
 passive-interface FastEthernet0/0
 network 172.16.0.0
 network 192.168.2.0
 no auto-summary
!
ip nat inside source list ALLOWED_NAT_ADDRESSES interface FastEthernet0/0 overload
ip classless
ip route 172.16.1.0 255.255.255.0 Tunnel0
ip route 209.165.0.0 255.255.255.224 209.165.1.1
no ip http server
ip pim bidir-enable
!
!
ip access-list standard ALLOWED_NAT_ADDRESSES
 permit 192.168.2.0 0.0.0.255
 permit 172.16.1.0 0.0.0.255

!
************************************************************************
SITE1#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/53/84 ms
SITE1#show ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/1] via 192.168.1.2, 00:00:13, FastEthernet0/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Tunnel0
     209.165.0.0/27 is subnetted, 1 subnets
C       209.165.0.0 is directly connected, FastEthernet0/0
     209.165.1.0/27 is subnetted, 1 subnets
S       209.165.1.0 [1/0] via 209.165.0.1
C    192.168.1.0/24 is directly connected, FastEthernet0/1
R    192.168.2.0/24 [120/1] via 172.16.1.2, 00:00:06, Tunnel0
SITE1#

************************************************************************
 SITE2#ping 172.16.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/52/88 ms
SITE2#show ip route
Gateway of last resort is not set

     1.0.0.0/32 is subnetted, 1 subnets
R       1.1.1.1 [120/2] via 172.16.1.1, 00:00:09, Tunnel0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Tunnel0
     209.165.0.0/27 is subnetted, 1 subnets
S       209.165.0.0 [1/0] via 209.165.1.1
     209.165.1.0/27 is subnetted, 1 subnets
C       209.165.1.0 is directly connected, FastEthernet0/0
R    192.168.1.0/24 [120/1] via 172.16.1.1, 00:00:09, Tunnel0
C    192.168.2.0/24 is directly connected, FastEthernet0/1
SITE2#


************************************************************************




2 comments:

  1. Can you do all this with IPsec? I mean a Tunnel Gre over IPsec with NAT?

    ReplyDelete
  2. what if the ip add on fa0/0 on both routers assigned by the ISP is dynamic?

    ReplyDelete