[c-nsp] Tunnel keepalive in NAT environment problem
Darren Yang
pigsign.pykota at gmail.com
Tue Nov 18 07:39:08 EST 2008
Hi,
You said right, the linux firewall already did NAT translate.
The GRE tunnel worked ok when I did not configure "keepalive" command
in tunnel interface. But when I configure "keepalive" that the tunnel
would soon appear down status....
Thanks
pigsign
2008/11/18 Varaillon Jean Christophe <j.varaillon at cosmoline.com>:
> Hi,
>
>>The routers can ping reachable each other.
>
> So the routing between the 172.16.1.1 and 1.1.1.1 is working.
>
>> But problem is Router01's ip address is private(172.16.1.1) and Router02
> will not reply packet correctly.
>
> Is your firewall allowing GRE traffic to flow between both routers?
> Did you configure your translation statement in your firewall so that GRE
> traffic can be initiated from both sides?
>
> Christophe
>
>
> 2008/11/18 Varaillon Jean Christophe <j.varaillon at cosmoline.com>:
>> Hi
>>
>> For the tunnel to be operational, each router should be able to reach the
>> destination IP of the tunnel from the source IP of the tunnel (extended
> ping
>> command will help you).
>>
>> When this is done, meaning, ping from IP source of the tunnel to IP
>> destination of the tunnel works, then you can set-up your keepalive
>> functionality.
>>
>> Christophe
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang
>> Sent: Tuesday, November 18, 2008 12:23 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Tunnel keepalive in NAT environment problem
>>
>> Hi All,
>>
>> Because Cisco GRE tunnel keepalive mechanism that must have public IP
>> on both site.
>> But I have one Router in NAT environment that it's ip address is
>> private IP address and another outside Router is public IP address, so
>> when I configure "keepalive" on tunnel interface, the tuneel interface
>> would show "line protocol down" message directly....
>>
>> If anyone have idea about this ?
>>
>> Thanks :)
>>
>> pigsign
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> __________ Information from ESET Smart Security, version of virus
> signature
>> database 3620 (20081118) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
>> __________ Information from ESET Smart Security, version of virus
> signature
>> database 3620 (20081118) __________
>>
>> The message was checked by ESET Smart Security.
>>
>> http://www.eset.com
>>
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3621 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3621 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
More information about the cisco-nsp
mailing list