troubleshooting Question

GRE Tunnel routing problem

Avatar of officeli0n
officeli0n asked on
RoutersVPN
17 Comments1 Solution2760 ViewsLast Modified:
I have 2 networks, a gre tunnel joining them. Our issue is pinging across the tunnel between networks. From telnet on router A or router B i can ping either router, tunnel endpoints, and any host on the remote network.
However from a host in network A or B I can ping to the remote side of the tunnel, but not the router, nor any host on network b. I think that there may be an acl issue somewhere but im not sure where to look. Would this fall under the internal interface or external interface? I have posted interface configs and acls for 172.18.2.1 router.
Our overview:
NetA: 172.18.2.1 needs to communicate with NetB: 172.18.3.1
GREA: 172.18.5.1
GREB: 172.18.5.2
again, from telnet at neta router, i can ping any host in netb network. same for netb router, but i cannot ping host in a from b nor visa versa.
interface Tunnel1
 ip address 172.18.5.2 255.255.255.0
 ip mtu 1420
 tunnel source FastEthernet0/1
 tunnel destination 208.125.212.18
 tunnel path-mtu-discovery
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0
 description ### LAN - Brit ###
 ip address 172.18.2.1 255.255.255.0
 ip access-group 100 in
 ip inspect SDM_LOW in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description ### WAN ###
 ip address 24.213.143.15 255.255.255.252
 ip access-group 102 in
 ip verify unicast reverse-path
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map SDM_CMAP_1
!
 
ACL
access-list 100 remark Inbound access list on LAN Interface
access-list 100 remark SDM_ACL Category=17
access-list 100 deny   ip 10.121.1.0 0.0.0.255 any
access-list 100 permit icmp any host 172.18.2.1
access-list 100 deny   ip 10.0.0.0 0.255.255.255 any
access-list 100 deny   ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip host 0.0.0.0 any
access-list 100 permit ip any any
access-list 101 remark Inbound access list on Itentive Interface
access-list 101 deny   ip 172.18.2.0 0.0.0.255 any
access-list 101 permit icmp any host 10.121.16.2
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit ip any any
access-list 102 remark Inbound access list on Outside interface
access-list 102 remark SDM_ACL Category=17
access-list 102 permit icmp any any
access-list 102 permit gre host 208.125.212.18 host 24.213.143.15
access-list 102 permit udp host 208.125.212.18 host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp host 208.125.212.18 host 24.213.143.15 eq isakmp
access-list 102 permit esp host 208.125.212.18 host 24.213.143.15
access-list 102 permit ahp host 208.125.212.18 host 24.213.143.15
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 172.18.2.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 172.16.77.96 0.0.0.7
access-list 102 permit ip 172.16.77.96 0.0.0.7 149.98.213.0 0.0.0.255
access-list 102 permit ip 172.16.77.96 0.0.0.7 10.121.0.0 0.0.255.255
access-list 102 permit udp host 208.125.212.21 host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp host 208.125.212.21 host 24.213.143.15 eq isakmp
access-list 102 permit esp host 208.125.212.21 host 24.213.143.15
access-list 102 permit ahp host 208.125.212.21 host 24.213.143.15
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit udp any host 24.213.143.15 eq non500-isakmp
access-list 102 permit udp any host 24.213.143.15 eq isakmp
access-list 102 permit esp any host 24.213.143.15
access-list 102 permit ahp any host 24.213.143.15
access-list 102 deny   ip 10.121.16.0 0.0.0.255 any
access-list 102 deny   ip 172.18.2.0 0.0.0.255 any
access-list 102 permit icmp any host 24.213.143.15
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
Static Routes:
ip route 172.18.3.0 255.255.255.0 Tunnel1
ip route 172.18.5.0 255.255.255.0 Tunnel1
ASKER CERTIFIED SOLUTION
wingatesl

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 17 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 17 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros