Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
209
Views
2
Helpful
4
Replies

Setting a GRE tunnels between a NAT to a public IP.

jonmo2578
Level 1
Level 1

‎04-18-2024 02:06 PM

Hi everyone.. i have been looking through multiple posts on the forum for similar cases but have not found the answer Im looking for.. I've been primarily using this thread for guidance. https://community.cisco.com/t5/networking-knowledge-base/setting-up-a-gre-tunnel-ip-nat-gre-and-ipsec/ta-p/4017427

I am trying to set up a GRE tunnel between a CIsco 8300 to a CIsco3900.. the end game is to set this up securely under a ipsec profile, but for the moment, i am struggling just to get it to work over a standard GRE tunnel between the two routers when there is NAT involved at one end.

See attached diagram for setup and config.

CIsco8300 <-> ISP router ( NAT ) <-> Internet <-> Cisco3900 ( Public IP )

Our Cisco 8300 sits behind a NATed ISP router ( which gives out 192.168.1.x addresses ).

Is it possible to set up GRE tunnel when there is NAT involved at one end, without putting the ISP router into Bridge Mode ? Im pretty sure I've been able to do this in the past but Im struggling to make it work in this instance.

The tunnel interfaces are in UP/UP state after I changed the tunnel source ( at Cisco8300 end ) from x.x.x.x to g0/0/2. However, I am unable to ping across the 169.254.0.60/30

** if I use a public IP on both Cisco 8300 end ( g0/0/2 ) and CIsco 3900 end. the GRE tunnel pings across fine ( and Im also able to secure it under a IPsec profile ).

Labels:
Preview file
60 KB
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎04-18-2024 02:17 PM

You need to add NAT for GRE

I.e.

Ip nat inside source gre x.x.x.x x.x.x.x

This static NAT needed

MHM

jonmo2578
Level 1
Level 1
In response to MHM Cisco World

‎04-19-2024 01:43 PM

Thanks for the reply.. I tried this and still no joy.. due to time constraints, I am gonna put the ISP router into Bridge Mode, however I gonna lab this up and try again another time..

MHM Cisco World
VIP
VIP
In response to jonmo2578

‎04-19-2024 01:55 PM

I will run lab and share it here

MHM

0 Helpful

Dan Frey
Cisco Employee
Cisco Employee

‎04-20-2024 06:54 PM

I believe your tunnel interfaces may show up/up because GRE keepalives are not enabled in your config.   GRE keepalives can not go through NAT due to the way the keepalive is architected and the tunnel interface will go up/down if the tunnel goes through NAT.  If keepalives are disabled the tunnel interface will go up/up but GRE does not use TCP or UDP for transport and can not survive PAT since there are no ports to translate.   To survive PAT, GRE can be encapsulated in IPSEC that will detect the translation and add UDP encapsulation on port 4500.

Preview file
119 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card