Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

address translation with tunnel


What are the merits & demerits of using address translation within gre tunnel. We are planning to do this within one customers links from one location to another location, as they have two different links at one of the sites & dont want out of order packets during return transmission.



Re: address translation with tunnel

Cisco IOS Firewall configuration with Network Address Translation (NAT). This configuration allows traffic to be initiated from inside the 10.1.1.x and 172.16.1.x networks to the Internet and NATed along the way. A generic routing encapsulation (GRE) tunnel is added to tunnel IP and IPX traffic between two private networks.

When a packet arrives at the outbound interface of the router and if it is sent down the tunnel, it is first encapsulated using GRE

Hall of Fame Super Silver

Re: address translation with tunnel

Hello Sunny,

I think I haven't understood all in your post.

a) Let me do some general considerations:

Most of the times NAT is used when accessing the internet and a GRE tunnel is used to build a VPN point-to-point connection between two sites.

In other words, often traffic that has to go over the tunnel is excluded from NAT operation using an extended ACL this is possible.


access-list 111 deny ip

access-list 111 permit ip any

this ACL says if traffic has to go to HQ net don't NAT it.

to complete the solution static routing or dynamic routing can be used to route over the GRE tunnel:

ip route tunnel10

where tunnel10 is the GRE tunnel.

The GRE tunnel can also be protected with IPSec if necessary.

b) Now, focusing on your post:

From what you wrote it looks like you are thinking of using a GRE tunnel between two sites, that are connected with multiple parallel paths, because you are concerned with possible out of order packets.

But if it is so, I don't see the relationship with NAT.

By the way, normal load balancing uses flow based ( IP SA exor IP DA) CEF load balancing that uses for each flow and each direction always the same physical link; so out of order packets shouldn't be an issue unless you have enabled per packet load sharing.


So probably you don't need the GRE tunnel at all to avoid out of order packets on the parallel links you have this already.

But again I don't see the relationship with NAT.

I would suggest you to describe your scenario with more details to get better help.

Hope to help


CreatePlease to create content