 RyanG1Premium
join:2002-02-10
San Antonio, TX | GRE tunnel behind NAT I have a gre tunnel to a linux slice i run at work for testing and i have thrown an ASA in front of my previous gateway.
asa outside is dhcp and asa inside is 192.168.6.248/30 subnet
1841 outside is 192.168.6.248/30 subnet and 1841 inside is 192.168.10.0/24 subnet and is NOT doing nat, just pushing packets and routing.
tunnel0 on the 1841 is set to use the source as the outside interface and the destination of my linux box on the net and the tunnel has an ip of 10.10.10.2/30 (linux tunnel IF has a 10.10.10.1/30 ip).
I thought that allowing GRE through the asa would be sufficient but it seems the ASA does not want to allow the nat translation to go through and thus drops the packet.
I have read up on this and it appears that enabling pptp fixup and inspection can cure the issue but the problem is i dont use pptp so the inspection wont occur. The tunnel mode is pure GRE unencrypted from the 1841 to the linux server and was working when the 1841 was direct on the net.
I have even attempted creating a loopback interface with the public ip of the asa and the sourcing the tunnel from that IP with no success.
Thoughts?
---EDIT---
This is the message i get from the debugging:
Jan 07 2012 10:38:25: %ASA-3-305006: regular translation creation failed for protocol 47 src inside:192.168.6.250 dst outside:174.143.x.x
and a packet trace (assuming UDP port 0) is dropped by ACL
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
|
|
RyanG1Premium
join:2002-02-10
San Antonio, TX | well i figured it out... had to make a static nat entry to redirect all traffic to the inside router. works great now =)
static (inside,outside) interface 192.168.6.250
Ryan |
|
 TomS_Git-r-donePremium,MVM
join:2002-07-19
London, UK
kudos:4 | reply to RyanG1
Unless you can just forward protocol 47, generally the only way to punch a hole through NAT for GRE is to put it inside an IPSEC tunnel. IPSEC runs over plain IP, so will be NATed like regular IP traffic, and then your GRE tunnel is encrypted and transported over the top of that.
But it does mean you need to get IPSEC working on both ends first. I set this up recently between a friends place and mine, he has a Cisco sitting behind a router at a share house, and I have a Juniper directly facing the net. Was a bit of a challenge, but we got it working in the end. It also means that we can get away with only having one static end to the tunnel (mine), but his end needs to initiate the IPSEC tunnel first. |
|
RyanG1Premium
join:2002-02-10
San Antonio, TX
1 edit | reply to RyanG1
IPSEC on my side is no issue... getting it working on linux... that was a problem. I tried that initially but it proved to be more time than i was willing to spend.
I also found a few quirks about making a static nat so ended up reversing the devices so that the 1841 is the edge and terminates all the tunnels. Its a double nat scenario but i have the port forwardings i need setup properly and so far my roommates have no issues with gaming.
Ryan
--
Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams |
|
