[c-nsp] Tunneling through NAT

Ben Steele ben at internode.com.au
Tue Apr 8 03:01:45 EDT 2008


If it's a 1:1 NAT ie a true NAT'd IP and not PAT, then GRE will work,  
the NAT problem with GRE is when you are running PAT as you can't  
forward that protocol by itself on a Cisco via PAT, which is where  
IPSEC is often used instead.

Having said all that I would highly recommend you run your GRE  
encapsulated in IPSEC anyway seeing as you are doing this over the  
Internet, unless you are not concerned about the privacy of your data.

Ben

On 08/04/2008, at 4:25 PM, TT wrote:

> Hello all,
>
> It seems all the material on the subject of tunneling through NAT I
> can find don't have two IOS boxes with the NAT between them, so now
> I'm asking for guidance on this.
>
> As said, I've got two IOS routers. The first one (let's call it R1) is
> in the internet, with public IP's and all. The other one, R2, is
> behind a 1:1 NAT, so one public IP mapped staticly to a single RFC
> 1918 address. Now what I need, is to route the IP subnet behind R2 to
> the internet via R1. That subnet has public IP's, so there's no need
> for NAT or anything like that. Apparently I'll need some kind of a
> tunnel between the routers, perhaps IPSec, and then static routes over
> that. GRE would be nice as there's no need for encryption, but if I
> remember correctly, it doesn't have NAT-traversal capabilities.
>
> The problem with example material is that all I can find assumes both
> ends of the tunnel have public IP's and no NAT between them. Naturally
> if this scenario has been discussed before, any pointers to example
> configs etc will be appreciated.
>
> Yours,
> Tero
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list