Re: GRE tunnel and NAT

On 21 May, 17:44, nu3...@xxxxxxxxx wrote:
On May 21, 2:08 am, Bo...@xxxxxxxxxxxxx wrote:





On 21 May, 04:52, nu3...@xxxxxxxxx wrote:

I'm trying to setup a web server behind a NAT router through a GRE
tunnel.
Here's a quick diagram:

WWW --------(outside) R1 (inside) =====<GRE>===== R2 ------- Web
server
A                    B
C                                                        D

When an http request comes into R1 (s:A, d: B), NAT does its job
translates the packet to (s:A, d:D) and ships it over the GRE tunnel
to R2.  R2 routes it to the web server.  So far so good.

Now web server responds back (s:D, d:A), R2 ships the packet to R1
back through the GRE tunnel.
When R1 gets the packet from the tunnel, I expected it to NAT again
and send out (s:B, d:A) to WWW but instead R1 sends the packet
unmodified (s:D, d:A) to WWW.

If I remove the GRE tunnel and simply route the packet from R2 to R1
then NAT works as expected.  However I need the GRE tunnel as these
web requests need to traverse an internal network to get to the web
server.

Does anyone know why NAT source translation is not taking place on the
way out (when the packet arrives through the GRE tunnel)?

Here's the config for R1:

ip cef
!
!
!
no crypto isakmp enable
!
!
interface Tunnel2
 description desk-vpn tunnel
 ip address 10.88.101.10 255.255.255.252
 tunnel source 10.88.102.9
 tunnel destination 10.88.102.1
!
interface Loopback0
 ip address 10.88.101.101 255.255.255.252
!
interface FastEthernet0/0
 ip address 66.101.147.100 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.88.102.9 255.255.255.240
 ip nat inside
 duplex auto
 speed auto
!
!
ip nat inside source static tcp 10.88.102.10 80 66.101.147.100 80
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 66.101.147.1
ip route 10.88.102.10 255.255.255.255 Tunnel2
!
no ip http server
no ip http secure-server

Web server is 10.88.102.10

Thanks in Advance

You need to make the Tunnel a NAT Inside
interface. The tunnel is a real interface just like
any other and needs to be treated as such.

Quite why nat works at all (half) with the
existing config I am not sure. I don't think it should.

Looks like that is a bug but you don't need to worry
about it.

Cisco have added a new nat syntax recently (ish)
where there is no inside/outside specified
but I don't understand it myself. Maybe this is
where the router is getting confused.

debug nat is very nice.

Fantastic.  Worked perfectly.  Thanks!!!

This should not impact NAT on interface FastEthernet0/1 (where I also
have ip nat inside configured), correct?

The reason I ask is because I see an output like:
Router(config-if)#ip nat in
Router(config-if)#
*Mar  4 17:23:15.001: ip_ifnat_modified: old_if 2, new_if 0

not sure what old_if and new_if refers to.- Hide quoted text -

- Show quoted text -

I am not really sure what you are asking.
Yon can have many nat inside and nat outside interfaces.
Nat is performed when a packet goes
between an inside an and outside in either direction.
Behaviour varies with direction of course.
I doubt that an interface can be an inside and an
outside at the same time ubt I could be wrong.

It is unlikely that adding the second inside int will affect
the first one. Especially since the "pass between
inside and outside" test then just send the traffic to the
natter whch does not care which interfaces the packets
have come from or are going to. There is a very nice
document "NAT order of operation". Some of the ipsec
components of the order were changed around 12.3.

The NAT interfaces are to do with the new nat config
which does not have inside and outside. You seem to
get NVIs Nat Virtual Interfaces.
I have not bothered to try to understnad it properly
since I did some tests with it and found that there are
some odd limitations on what you can do with it.
I forget now but I basically dismissed it
as not fit for production yet.

Maybe something like no nat and ipsec at the same time.
Not sure.

.

Relevant Pages

  • Re: protocol xx unreachable
    ... a tcpdump on the external interface shows a "protocol xx ... The routers in between cannot decode/mangle the packet without the endpoints ... For IPSec you should look at NAT-T which more or less wraps ... The ICMP packets are sent by the source (your router?) as here is some ...
    (comp.os.linux.networking)
  • Re: protocol xx unreachable
    ... a tcpdump on the external interface shows a "protocol xx ... The routers in between cannot decode/mangle the packet without the endpoints ... For IPSec you should look at NAT-T which more or less wraps ... The ICMP packets are sent by the source (your router?) as here is some ...
    (comp.os.linux.security)
  • PIX packets get NATed which shouldnt
    ... A PIX 501 Version 6.3 managing an IPSec tunnel to an ASA 5510 seems ... to to source NAT on outgoing packets which according to its config ... with its RFC1918 destination address the packet could never have ...
    (comp.dcom.sys.cisco)
  • NAT ACL Questions
    ... entries associated with NAT on IOS 12.4 on a 28xx router. ... interface GigabitEthernet0/0 ... indicates that the packet is not NAT-ed.) ...
    (comp.dcom.sys.cisco)
  • Re: Is router-generated traffic considered inside NAT?
    ... There are a "track" how packet goes. ... interface, then it applies "in" access list, if packet matches access-list ... for NAT, then packet is sent to "NAT engine". ... packet presented to routing engine, which makes decision where to send the ...
    (comp.dcom.sys.cisco)