How do I configure GRE tunnels?

Configuring GRE tunnels on Cisco routers is relatively easy—all it takes is a few simple commands. Here's an example of a simple configuration:

Router A:

interface Ethernet0/1

ip address 10.2.2.1 255.255.255.0

interface Serial0/0

ip address 192.168.4.1 255.255.255.0

interface Tunnel0

ip address 1.1.1.2 255.255.255.0

tunnel source Serial0/0

tunnel destination 192.168.4.2

Router B:

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

interface Serial0/0

ip address 192.168.4.2 255.255.255.0

interface Tunnel0

ip address 1.1.1.1 255.255.255.0

tunnel source Serial0/0

tunnel destination 192.168.4.1

ASA 5505 IPsec Configuration

Here is the Config of the First ASA 5505 same on opposite F/W also just change IP's


cisco-1# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname cisco-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
access-list 100 extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255                                                                                        .255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 2                                                                                        55.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 192.168.200.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.1.2
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email sendaler@home.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d1fd0b2e66163cb22f8ec19013d3b3c4
: end
cisco-1#

NAT Load Balance

Here is a small config I did with Nat load balance using route maps,

LAN#sh run
Building configuration...

Current configuration : 1272 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LAN
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 192.168.2.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map ISP2 interface FastEthernet1/1 overload
ip nat inside source route-map isp1 interface FastEthernet1/0 overload
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
!
route-map isp1 permit 10
 match ip address 100
 match interface FastEthernet1/0
!
route-map ISP2 permit 10
 match ip address 100
 match interface FastEthernet1/1
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

PPPoe Configuration for Cisco Router

!

interface FastEthernet0/1/0

 no ip address

 duplex auto

 speed auto

 pppoe enable group global

 pppoe-client dial-pool-number 1

 no cdp enable

!

interface Dialer0

 ip address negotiated

 ip mtu 1452

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication pap callin

 ppp pap sent-username XXXXXXX password 0 XXXXXX

 no cdp enable

·         Check with command Show pppoe session status should be UP and the dialers on the command show ip inter br should get an IP

HSRP/SLA's With two Layer 3 Switches

Here the configs:


sh run
Building configuration...

Current configuration : 1609 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HSRP_1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
ip source-route
!
!
!
!
ip cef
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
track 1 ip sla 1 reachability
 delay down 10 up 1
!
!
!
interface Loopback0
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 1 ip 192.168.1.254
 standby 1 priority 110
 standby 1 preempt
!
interface Vlan2
 ip address 192.168.2.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 2 ip 192.168.2.254
 standby 2 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.100 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 10
no ip http server
no ip http secure-server
!
ip nat inside source list WLAN_NAT interface FastEthernet4 overload
!
ip access-list extended WLAN_NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
!
ip sla 1
 icmp-echo 172.16.0.203
 frequency 10
ip sla schedule 1 life forever start-time now
no cdp run

!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

HSRP_1#



Here is the HSRP_2 config:


sh running-config
Building configuration...

Current configuration : 1671 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HSRP_2
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
ip source-route
!
!
!
ip dhcp pool WLAN_DHCP
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server 172.16.0.1
!
!
ip cef
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
track 1 ip sla 1 reachability
 delay down 10 up 1
!
!
!
interface FastEthernet0
 switchport trunk allowed vlan 1,2,1002-1005
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 1 ip 192.168.1.254
 standby 1 preempt
!
interface Vlan2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 standby 2 ip 192.168.2.254
 standby 2 priority 110
 standby 2 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.100 track 1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10
no ip http server
no ip http secure-server
!
ip nat inside source list WLAN_NAT interface FastEthernet4 overload
!
ip access-list extended WLAN_NAT
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
!
ip sla 1
 icmp-echo 172.16.0.201
 frequency 10
ip sla schedule 1 life forever start-time now
no cdp run

!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
!
scheduler max-task-time 5000
end

HSRP_2#