[c-nsp] BGP through a NAT device

Andrew Clark lt.aclark at gmail.com
Wed Sep 12 11:21:46 EDT 2012


It is possible.  Depending on what you are using to do the NAT - just do
one to one NAT so that the translated IP addresses are predictable.  You
will need to have IP connectivity between the two peers before BGP will
work, so you will probably want to allow a few things (ICMP) through the
firewall besides just BGP  You might need to turn off TCP sequence number
rewrite depending on the firewall.

Good luck!

Andrew Clark



> Hi all,
> I have an interesting question that I am going to be labing soon. ?Is it
> possible to NAT a connect-source for a BGP session and still establish a
> peering? ?Obviously this would also require a NATng of the BGP packets as
> the connect-source wouldn't match what the BGP OPEN message is indicating.
> ?Example being: a router connected inside a corporate network, with all RFC
> 1918 addresses. ?You configure an eBGP peer outside of your firewall and
> that address is being NATd to some public space. ?The other router points
> his peering towards the public address so he has reachability to it, but
> without some NATng of the OPEN message obviously there is a mismatch and
> things wouldn't work. ?I hope this is explained well enough to make sense.
> ?Thanks for any input ahead of time!
>
> ------------------------------
>
>


More information about the cisco-nsp mailing list