Re: vEdge - Route leaking to VPN 0 to bypass NAT over GRE

JohnG2020 · ‎12-10-2020

Hello all,

Question I have is can you specifically leak a summary route 10/8 to VPN 0 in order to bypass NAT from happening between the service-side VPN 10 and transport-side VPN 0? The reason I would like to have this bypassed is we have GRE1 and GRE2 in VPN 0 for Zscaler. Under the cover, it is using NAT between the 2 VPN 10 and VPN 0. I am guessing this is so the return traffic routes back to the service-side VPN 10.

My customer has seen a significant performance decrease ever since switching to SDWAN solution. Their previous Zscaler was on a traditional ISR router where it wasn't doing any NAT'ng at all over the GRE tunnel.

I am thinking in version 20.3, you can leak routes to the service-side VPN 0. Would this possibly eliminate NAT when using the netsvc in the service-side VPN 10 to route the default traffic for 80/443 to GRE1 and GRE2 in VPN 0?

Thanks in advance!

james@bestpath.io · ‎01-27-2021

So with 20.3 and 17.3.x you can route-leak either from global VPN (0) to service VPN (1-511) or vice versa, so I dont see why you couldn't do it. We recently had a use case to leak a 0.0.0.0/0 from VPN0 without NAT into the Service VPN to allow outbound internet access via a router/firewall that isn't yet within the SDWAN overlay.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/ios-xe-17/routing-book-xe/m-routing-leaking-for-service-sharing.html#Cisco_Concept.dita_ee6c10fd-043d-44c1-9f33-2785408636bb