NAT over GRE tunnels - advice please ...

Unanswered Question
Jul 2nd, 2008


I have a number of remote sites to manage that have internet connections(based on DSL & 877 routers).

Connectivity from the remote router LANs back to HQ LAN is implemented via a standard IPSEC/GRE tunnel solution.

Provided each remote site has a unique LAN subnet then all works well.






**The problem

I have no choice but to redefine all remote sites with the same LAN IP address (due to 3rd party insistance)





Therefore - I need to NAT each remote site to a unique subnet from an HQ perspective (through the GRE tunnel)

HQ perspective <--NAT via GRE--> Remote1 <--NAT via GRE--> Remote2 <--NAT via GRE--> Remote3


The challenge is to achieve this within one router, whilst not disturbing normal NAT action

from the remote LAN to the internet.

** Summary

Please can anybody provide me with some directions on how to modify a standard IPSEC/GRE tunnel solution -- which will NAT the remote LAN address space from the local LAN address perspective?


Julian Fletcher

Birmingham, UK

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Paolo Bevilacqua Wed, 07/02/2008 - 13:44

Hi, can I be honest with you. If I was presented "with insistence" the request of configuring multiple sites with the same network address, I would refuse to do that. I would probably also renounce the job if necessary.

Reason why, as network engineers we must do things "the right way" just like doctors, lawyers, other engineers do all the time.

Doing a network like the above is completely unprofessional and is something that one could not even mention on a resume.

Sorry if this is not the type of answer you were waiting for, and good luck in any case.

julfle01rhi Wed, 07/02/2008 - 14:41

I agree its a challenge - but its one I have to resolve with the given parameters.

Is this problem truly technically insurmountable ?

The whole Cisco configuration set is sooo extensible - I suspect there is a way of achieving this.

I can imagine a different scenario for the same problem - when two organisations with overlapping address space merge - and need to be initially connected via a VPN.

Paolo Bevilacqua Wed, 07/02/2008 - 15:24


Again in my opinion, it is not a challenge, it is a requested made in deliberate disregard of any and all common networking practices.

You're correct that in certain cases there is no alternative to complicated NAT, so technology comes to help, however for example in the case of overlapping addresses, you end up with severe limitations, and a network to is not any to any, far from that. Since that is OK in most organizations, they can live with that.

In your case, it appears instead that this is a new deployment and the request has no technical grounds beside (hypothesizing here) some guy that wants an easy life installing servers with the same disk image everywhere.

You would end with cumbersome, limited, hard to maintain and hard to troubleshoot network.

Reason why, you've introduce on a paved road what IT refrains most - ambiguity.

Without the claiming humility on my side, let me tell you that from the experience of approx 20 yrs of IP networking, where I saw some cases like that, and all have failed miserably.

This is the reason why professionalism prevents myself from even thinking of doing something like that, or suggesting if and how it could be done.

Again, sorry for not really answering your question - rate '1' if you wish :)

julfle01rhi Wed, 07/02/2008 - 16:34

Thanks for the feedback :-)

On a personal level - I agree with you 100%. Overlapping network address space is a lousy situation. But please bear with me - there are genuine reasons why I'm stuck with the situation "as-is", and cant simply resolve the issue by insisting on unique addressing everywhere. I wont bore anyone with all the commercial details behind this - as this a technical forum after all :-)

So the question remains.

Within Cisco IOS, is it possible to implement NAT over an IPSEC/GRE tunnel between identically numbered subnets.

If the answer is a definitive no - then thats fine.

It would just make my life so much easier if there is a way of achieving this ...


This Discussion