NetBios and VLANs over GRE.

[stre1026]

Hi All -

I have a GRE tunnel between a 2621(non-xm) at my house and a 2621XM router at my office which is encrypted by IPSec. This all works great. Here is where it gets complicated. The 2621(non-xm) is at my house which is my firewall/NAT/VPN/inter-vlan router for 4 VLANs that are on a 2924xl trunked to the 2621 for inter-vlan routing.

What I would like to do is be able to access a few of the VLANs at my house at my office. Currently, the 10.0.0.x network is the only one I can access from my office. Also, to make things even more complicated, how can I allow NetBios traffic to flow through the GRE tunnel between my 10.0.0.x network at my house and 10.0.8.x network at my office so I can browse network neighborhood? Just so you know, the router at my office is not used as part of my office production network. I just want to be able to access a few servers I have there that host a few websites, Exchange, and SQL from home. Those servers have to stay there because I have a residential internet connection at home and can't host servers.

I've attached the appropriate parts of my configs -

2621(non-xm)

ip multicast-routing
!
crypto isakmp policy 5
authentication pre-share
group 2
crypto isakmp key tremblayonline address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set dmvpnset esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpnprof
set transform-set dmvpnset
!
!
interface Tunnel0
description Dynamic Tunnel
bandwidth 1000
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip directed-broadcast
ip mtu 1416
ip pim sparse-dense-mode
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp map 172.16.0.1 (IP ADDRESS REMOVED)
ip nhrp map multicast (IP ADDRESS REMOVED)
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip route-cache cef
no ip route-cache
ip ospf network broadcast
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!
interface FastEthernet0/0
ip address dhcp
ip access-group 100 in
no ip unreachables
ip nat outside
ip pim sparse-dense-mode
ip inspect firewall out
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1.1
description Data
encapsulation dot1Q 100
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.2
description VOIP
encapsulation dot1Q 200
ip address 10.0.5.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.3
description FIOS
encapsulation dot1Q 300
ip address 10.0.6.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.4
description Test
encapsulation dot1Q 400
ip address 10.0.7.1 255.255.255.0
ip nat inside
!
router ospf 1
log-adjacency-changes
redistribute connected
network 10.0.0.0 0.0.0.255 area 0
network 172.16.0.0 0.0.0.255 area 0
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 100 deny icmp any any echo
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
access-list 150 deny ip 10.0.0.0 0.0.0.255 10.0.8.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 any
access-list 150 permit ip 10.0.5.0 0.0.0.255 any
access-list 150 permit ip 10.0.6.0 0.0.0.255 any
access-list 150 permit ip 10.0.7.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 150
!


2621XM router

ip multicast-routing
!
crypto isakmp policy 5
authentication pre-share
group 2
crypto isakmp key (REMOVED) address 0.0.0.0 0.0.0.0
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpn
set transform-set vpn
!
!
interface Tunnel0
description Multi-point GRE Tunnel
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip pim sparse-dense-mode
ip nhrp authentication dmvpn
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
no ip route-cache cef
no ip route-cache
ip ospf network broadcast
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
description This is the external interface
ip address (IP REMOVED)
no ip unreachables
ip nat outside
ip pim sparse-dense-mode
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 10.0.8.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
router ospf 1
log-adjacency-changes
network 10.0.8.0 0.0.0.255 area 0
network 172.16.0.0 0.0.0.255 area 0
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
access-list 100 permit udp any host (REMOVED) eq isakmp
access-list 100 permit esp any host (REMOVED)
access-list 100 permit gre any host (REMOVED)
access-list 100 deny ip any any
access-list 110 deny ip 10.0.8.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 deny ip 10.0.5.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 permit ip 10.0.8.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server community public RO
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!

Thanks for your help. Please let me know if I missed anything or if you need the config for the switch at my house.

Thanks,
Steve

 

[burtsbees]

Can you reach all VLANs from a computer attached to 10.0.0.0 at home? I am not sure, but you may need to add OSPF statements at home for the VLAN network addresses. Also, I am not sure of this either, but you may need reverse-route configured (though you seem to NAT through the tunnel, right?).
Posting the switch config would not be needed if you are able to reach all VLANs from the management VLAN at home.

Burt

 

[stre1026]

Hi Burt,

Yes, I can reach all the vlans from the 10.0.0.0 network at my house. I will give your suggestions a go this coming week. As for NAT'ing through the tunnel, I don't believe I am. I have an access-list that stops the NAT process for 10.0.8.0 and 10.0.5.0 before it reaches the tunnel.

Thanks again!
Steve

 

[burtsbees]

Yes, I see the VoIP VLAN not getting NAT'ted...missed that. Try the reverse-route anyway, just for kicks. I am tired right now, and brain dead, so I could not tell you what effect it may have...the 10.0.8.0 nw is confusing as far as the NAT goes(ip nat inside), but like I said, I need sleep!

Burt

 

[stre1026]

Hi Burt,

I added my other networks (5.x and 7.x) to ospf on my home router and voila! I can ping the other networks through my tunnel! Now if only I could browse via My Network Places. Any ideas on that?

Thanks again for all your help on this!
Steve

 

[brianinms]

Netbios is a broadcast and wont traverse a layer 3 interface unless you configured your interface to do directed broadcast. You would be better off merely mapping the needed drives. If it is an AD environment you could always add your machine to the domain or configure wins.

 

[stre1026]

Hi brianinms,

I did allow directed-broadcasts on the tunnel. That's where I would that, correct?

Thanks!
Steve

 

[brianinms]

I would assume so yes, but I have never tried it so i cant say that it would work.

 

[Minue]

Hello
Have you try the "ip helper-address" command.This will forward 7 broadcast types including Netbios.I have never try it on a VPN tunnel,but logically it looks like it could work.
Once turn on,you can then turn of the other 6 broadcast type that you don't need.
Regards