04-05-2009 10:05 PM - edited 03-06-2019 05:00 AM
Hi,
What are the merits & demerits of using address translation within gre tunnel. We are planning to do this within one customers links from one location to another location, as they have two different links at one of the sites & dont want out of order packets during return transmission.
Thanks.
04-12-2009 09:42 AM
Cisco IOS Firewall configuration with Network Address Translation (NAT). This configuration allows traffic to be initiated from inside the 10.1.1.x and 172.16.1.x networks to the Internet and NATed along the way. A generic routing encapsulation (GRE) tunnel is added to tunnel IP and IPX traffic between two private networks.
When a packet arrives at the outbound interface of the router and if it is sent down the tunnel, it is first encapsulated using GRE
04-12-2009 11:22 AM
Hello Sunny,
I think I haven't understood all in your post.
a) Let me do some general considerations:
Most of the times NAT is used when accessing the internet and a GRE tunnel is used to build a VPN point-to-point connection between two sites.
In other words, often traffic that has to go over the tunnel is excluded from NAT operation using an extended ACL this is possible.
example
access-list 111 deny ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.255.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
this ACL says if traffic has to go to HQ net 10.20.0.0/16 don't NAT it.
to complete the solution static routing or dynamic routing can be used to route over the GRE tunnel:
ip route 10.20.0.0 255.255.0.0 tunnel10
where tunnel10 is the GRE tunnel.
The GRE tunnel can also be protected with IPSec if necessary.
b) Now, focusing on your post:
From what you wrote it looks like you are thinking of using a GRE tunnel between two sites, that are connected with multiple parallel paths, because you are concerned with possible out of order packets.
But if it is so, I don't see the relationship with NAT.
By the way, normal load balancing uses flow based ( IP SA exor IP DA) CEF load balancing that uses for each flow and each direction always the same physical link; so out of order packets shouldn't be an issue unless you have enabled per packet load sharing.
Note:
So probably you don't need the GRE tunnel at all to avoid out of order packets on the parallel links you have this already.
But again I don't see the relationship with NAT.
I would suggest you to describe your scenario with more details to get better help.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide