cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
4
Replies

IPsec/GRE with NAT

r.fang
Level 1
Level 1

I have one 2600 router with two Ethernet interfaces: e0/0 connects to Internet and with IPsec/GRE tunnel with a remote site. E0/0 is tunnel end.

e0/1 connects to inside LAN network. I would like to have NAT between LAN and remote site, so should I apply ip nat outside command on physical interface e0/0 or GRE tunnel interface Tunnel0, or both ?

Thanks in advance

4 Replies 4

sachinraja
Level 9
Level 9

its enough if you apply the ip nat outside command on the ethernet interface. You can refer to the following scenario:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b8.shtml#diag

a.awan
Level 4
Level 4

Assuming that the next hop for your remote site is the GRE tunnel interface, I think the NAT application needs to be on the tunnel interface. NAT has to occur before your GRE traffic gets encrypted and if there is no NAT outside statement on the tunnel interface packets destined out that interface will not be NATTED.

Depending on whether you want to NAT other traffic going to the interface or not you might also require a NAT outside on the e0/0.

I could not find a samle configuration for your exact requirements, however, the following link might prove to be of some value. It basically shows how to NAT between two sites along with encrypting traffic between them via IPSec. Unfortunately GRE tunneling is not used but you can build it on top of this configuration:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

r.fang
Level 1
Level 1

by created the test lab for this scenario, ip nat outside command only need to be turn on Tunnel interface not on E0/0. and both dynamic and static NAT works fine.

Thats how i thought it would work. Like i said earlier if you have to NAT to the internet also then you will have to use ip nat outside on both interfaces but if NAT is only required for the remote side then ip nat outside on the tunnel interface is adequate.

Review Cisco Networking for a $25 gift card