Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
2
Replies

address translation with tunnel

suthomas1
Level 6
Level 6

‎04-05-2009 10:05 PM - edited ‎03-06-2019 05:00 AM

Hi,

What are the merits & demerits of using address translation within gre tunnel. We are planning to do this within one customers links from one location to another location, as they have two different links at one of the sites & dont want out of order packets during return transmission.

Thanks.

Labels:
0 Helpful
2 Replies 2

wong34539
Level 6
Level 6

‎04-12-2009 09:42 AM

Cisco IOS Firewall configuration with Network Address Translation (NAT). This configuration allows traffic to be initiated from inside the 10.1.1.x and 172.16.1.x networks to the Internet and NATed along the way. A generic routing encapsulation (GRE) tunnel is added to tunnel IP and IPX traffic between two private networks.

When a packet arrives at the outbound interface of the router and if it is sent down the tunnel, it is first encapsulated using GRE

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-12-2009 11:22 AM

Hello Sunny,

I think I haven't understood all in your post.

a) Let me do some general considerations:

Most of the times NAT is used when accessing the internet and a GRE tunnel is used to build a VPN point-to-point connection between two sites.

In other words, often traffic that has to go over the tunnel is excluded from NAT operation using an extended ACL this is possible.

example

access-list 111 deny ip 10.10.10.0 0.0.0.255 10.20.0.0 0.0.255.255

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

this ACL says if traffic has to go to HQ net 10.20.0.0/16 don't NAT it.

to complete the solution static routing or dynamic routing can be used to route over the GRE tunnel:

ip route 10.20.0.0 255.255.0.0 tunnel10

where tunnel10 is the GRE tunnel.

The GRE tunnel can also be protected with IPSec if necessary.

b) Now, focusing on your post:

From what you wrote it looks like you are thinking of using a GRE tunnel between two sites, that are connected with multiple parallel paths, because you are concerned with possible out of order packets.

But if it is so, I don't see the relationship with NAT.

By the way, normal load balancing uses flow based ( IP SA exor IP DA) CEF load balancing that uses for each flow and each direction always the same physical link; so out of order packets shouldn't be an issue unless you have enabled per packet load sharing.

Note:

So probably you don't need the GRE tunnel at all to avoid out of order packets on the parallel links you have this already.

But again I don't see the relationship with NAT.

I would suggest you to describe your scenario with more details to get better help.

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card