[c-nsp] Tunnel keepalive in NAT environment problem
Darren Yang
pigsign.pykota at gmail.com
Tue Nov 18 06:10:40 EST 2008
Hi,
The routers can ping reachable each other.
But I saw the cisco tunnel keepalive document like this..
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml#backinfo
And my lab like this..
Router01(172.16.1.1)------Linux Firewall(NAT)-----Router02(1.1.1.1)
the Router01 tunnel keepalive mechanism will encapsulate
"src:1.1.1.1,dst:172.16.1.1" packet to Router02, then Router02 will
decapsulate packet and send "src:1.1.1.1,dst:172.16.1.1" packet to
Router01 to assure tunnel alive. But problem is Router01's ip address
is private(172.16.1.1) and Router02 will not reply packet correctly.
So tunnel interface would always appear "line protocol down" when I
configure keepalive.
Thanks
pigsign
2008/11/18 Varaillon Jean Christophe <j.varaillon at cosmoline.com>:
> Hi
>
> For the tunnel to be operational, each router should be able to reach the
> destination IP of the tunnel from the source IP of the tunnel (extended ping
> command will help you).
>
> When this is done, meaning, ping from IP source of the tunnel to IP
> destination of the tunnel works, then you can set-up your keepalive
> functionality.
>
> Christophe
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang
> Sent: Tuesday, November 18, 2008 12:23 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Tunnel keepalive in NAT environment problem
>
> Hi All,
>
> Because Cisco GRE tunnel keepalive mechanism that must have public IP
> on both site.
> But I have one Router in NAT environment that it's ip address is
> private IP address and another outside Router is public IP address, so
> when I configure "keepalive" on tunnel interface, the tuneel interface
> would show "line protocol down" message directly....
>
> If anyone have idea about this ?
>
> Thanks :)
>
> pigsign
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3620 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET Smart Security, version of virus signature
> database 3620 (20081118) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>
More information about the cisco-nsp
mailing list