Hi all,

I have a case, I would like to share it with you, and will be appreciated to share your ideas about it.

Network diagram

The case:

• I have a public IP range segment into the network (Segment A)
• I have another public IP range segment (Segment B).
• I would like to make my local network (Wireless BS) to securely access Internet through GRE over IPSec tunnel and use the public range from segment B.

In another words, the upper cloud is insecure, so the public range is used to access Internet to create a tunnel (GRE over IPSec), thus I will use the lower cloud to access Internet actually, I want to make a VPN tunnel through the upper cloud and use the IP range of the lower cloud to access Internet.

Basically, 2 public class B ranges (segment A) will be natted to 32 IP address (Segment B). All clients will access Internet from Segment B through a IPSec tunnel passing from segment A to B.

Does the GRE over IPSec feasible, if yes, please give me a hint, if not please help me to find the solution.

Thanks, Laith

Hi Laith, If I read your description correctly you want to NAT network A to Network B at the "B" router. This could be done with the GRE tunnel interface on Router B as nat inside, egress interface nat outside.

Regards, PH

That is great, thanks Perlhack for your answer.

Well, can I transmit all traffic over IPSec tunnel, I mean run the GRE tunnel over IPSec secure tunnel, then NAT them on Router B as you mentioned? I am still stuck with that point!!

Yes. We have many customers doing this with a VPN backhaul design.

HTH.

WOW, that is great, thanks for confirming that. I am working on a LAB, I will post soon the LAB topology as well as all configurations.

HTH.

@Perlhack, HELP,HELP,HELP,HELP!!

I have stuck in a point where my mind just stopped working :(, I am unable to create the design on the ground, please refer to the diagram and give me your opinion.

Could you please give me a hand, send me a sample server/client configuration, or P2P GRE-IPsec config that match your criteria, for me to study it.

Thanks, Laith

Hi Laith, On Router SPOKE_901# there is a default static route going into the DMVPN tunnel, also a static route to point to the hub router 906 public IP address (without this there will be recursive routing events).

On the 901 spoke side add two static routes.

S 192.168.6.1 [1/0] via 192.168.1.2 ! route to 906 HUB public IP.

S* 0.0.0.0/0 [1/0] via 11.1.1.6 ! default route on 901 SPOKE going through the tunnel.

===============================================

On the DMVPN Hub side (906) place the nat policy.

ip nat inside source list 1 interface Ethernet0/1 overload

906_DIST_SEC1(config-std-nacl)#do sh run | b Tunnel
interface Tunnel0
 description VPN
 bandwidth 10000
 ip address 11.1.1.6 255.255.255.0
 no ip redirects
 ip accounting output-packets
 ip mtu 1400
 ip hello-interval eigrp 777 10
 ip hold-time eigrp 777 40
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 99
 ip nhrp holdtime 600
 ip nhrp registration timeout 600
 ip nhrp shortcut
 ip nhrp redirect
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 777
 ip summary-address eigrp 777 10.0.0.0 255.255.0.0 5
 load-interval 30
 delay 110
 tunnel source Ethernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile VTI100

interface Ethernet0/1
 description WAN 900 Eth 1/1
 ip address 192.168.6.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly

From the 901 spoke router ping an internet IP.  
SPOKE_901#ping 4.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/24 ms

on the hub look at the nat table:
906_DIST_SEC1(config-std-nacl)#do sh ip nat tr | inc icmp
icmp 192.168.6.1:1     11.1.1.1:1         4.4.4.4:1          4.4.4.4:1