address translation with tunnel

Unanswered Question
Apr 5th, 2009

Hi,

What are the merits & demerits of using address translation within gre tunnel. We are planning to do this within one customers links from one location to another location, as they have two different links at one of the sites & dont want out of order packets during return transmission.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Cisco IOS Firewall configuration with Network Address Translation (NAT). This configuration allows traffic to be initiated from inside the 10.1.1.x and 172.16.1.x networks to the Internet and NATed along the way. A generic routing encapsulation (GRE) tunnel is added to tunnel IP and IPX traffic between two private networks.

When a packet arrives at the outbound interface of the router and if it is sent down the tunnel, it is first encapsulated using GRE

Giuseppe Larosa Sun, 04/12/2009 - 11:22

Hello Sunny,

I think I haven't understood all in your post.

a) Let me do some general considerations:

Most of the times NAT is used when accessing the internet and a GRE tunnel is used to build a VPN point-to-point connection between two sites.

In other words, often traffic that has to go over the tunnel is excluded from NAT operation using an extended ACL this is possible.

example

access-list 111 deny ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.255.255

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

this ACL says if traffic has to go to HQ net 10.20.0.0/16 don't NAT it.

to complete the solution static routing or dynamic routing can be used to route over the GRE tunnel:

ip route 10.20.0.0 255.255.0.0 tunnel10

where tunnel10 is the GRE tunnel.

The GRE tunnel can also be protected with IPSec if necessary.

b) Now, focusing on your post:

From what you wrote it looks like you are thinking of using a GRE tunnel between two sites, that are connected with multiple parallel paths, because you are concerned with possible out of order packets.

But if it is so, I don't see the relationship with NAT.

By the way, normal load balancing uses flow based ( IP SA exor IP DA) CEF load balancing that uses for each flow and each direction always the same physical link; so out of order packets shouldn't be an issue unless you have enabled per packet load sharing.

Note:

So probably you don't need the GRE tunnel at all to avoid out of order packets on the parallel links you have this already.

But again I don't see the relationship with NAT.

I would suggest you to describe your scenario with more details to get better help.

Hope to help

Giuseppe

Actions

This Discussion