Solved: Need of NAT Between 2 sites using Tunnel over WAN

mahesh18 · ‎11-07-2012

Hi Everyone,

We have couple of remote offices connected by tunnel over the WAN link.

Need to understand why NAT is not used when we have Connection to other sites by Tunnel.

I know for access to internet we will need NAT to work on Routers.

Thanks

Mahesh

Sakun Sharma · ‎11-07-2012

Hi Mahesh,

In case of tunnel, you are directly connected to your internal network from you site to other site, so the end device which is receiving the packet is within your network (same network) that is why you don't need to NAT it. In this case your source IP will be your source device IP, so when other device has to reply you back, it can reply back to your IP, as both are in same network.

But when you are sending packet out of router in public IP, your source should be your ISP IP, so that return path exists.

If you don't NAT while sending packet out of Router then, the source IP in the packet received will be your internal network IP, but when it will reply back, there will be no path available towards your side, as its your internal private range IP.

So that is the reason in case of tunnel you don't need to NAT, because both end devices are in same network and has route path for each other.

If you need more explanation with example, plz let me know.

--

Regards

Sakun Sharma

View solution in original post

John Blakley · ‎11-08-2012

Mahesh,

You can use a routing protocol if you'd like to run over the tunnel. The two sites will form an adjacency just as they do on a lan/wan segment.

The two sides should have different internal subnets in order to not need nat. If they're are the same, then one side or the other has to nat as to avoid a conflict. In your example, it would be recommended not to nat the connection. 192.168.2.0 would be able to route to 192.168.3.0 and vice versa with no nat needed.

Now there are exceptions to this rule though. One would be if your other end is a large network. That large network may peer with you from a router that has 192.168.1.0/24 as an internal network, but they may have 40 other routes in their routing table that point toward their mpls cloud. They may have 192.168.3.0/24 in their routing table, so they'd require that you translate your subnet to something other than something they have in their routing table. I have p2p ipsec connections that the other end dictated that I nat the connection because I had a subnet that was going to them that was cause a routing issue on their end.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎11-08-2012

It's going to depend on your internal network that you have now. For example, a GRE tunnel will have an ip address on the tunnel interface that can be a /30. Your source interface would be your wan interface and then your destination address would be the other peer's public address:

Router A:

int tu1

ip address 2.2.2.1 255.255.255.252

tunnel source s0/0

tunnel destinat 5.5.5.5

int s0/0

ip address 6.12.1.2 255.255.255.252

int fa0/0

desc LAN

ip addr 192.168.2.1 255.255.255.0

ip route 192.168.3.0 255.255.255.0 tunnel1

Router B:

int tu1

ip address 2.2.2.2 255.255.255.252

tunnel source s0/0

tunnel destin 6.12.1.2

int s0/0

ip addr 5.5.5.5 255.255.255.0

int fa0/0

ip addr 192.168.3.1 255.255.255.0

ip route 192.168.2.0 255.255.255.0 tunnel1

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

Sakun Sharma · ‎11-07-2012

Hi Mahesh,

In case of tunnel, you are directly connected to your internal network from you site to other site, so the end device which is receiving the packet is within your network (same network) that is why you don't need to NAT it. In this case your source IP will be your source device IP, so when other device has to reply you back, it can reply back to your IP, as both are in same network.

But when you are sending packet out of router in public IP, your source should be your ISP IP, so that return path exists.

If you don't NAT while sending packet out of Router then, the source IP in the packet received will be your internal network IP, but when it will reply back, there will be no path available towards your side, as its your internal private range IP.

So that is the reason in case of tunnel you don't need to NAT, because both end devices are in same network and has route path for each other.

If you need more explanation with example, plz let me know.

--

Regards

Sakun Sharma

mahesh18 · ‎11-08-2012

Hi Sakun,

Many thanks for detailed explanation.

Regards

Mahesh

John Blakley · ‎11-08-2012

Mahesh,

The only time that you usually need to nat over a tunnel is if your private side addresses conflict with the other side's addresses. For example, if your lan was 192.168.1.0, and the peer's lan was 192.168.1.0, then you'd need to nat one side to another network like 192.168.2.0.

When the tunnel is up, and you don't have a conflict, you route your packets over the tunnel interface. So, if you wanted to get to 192.168.2.0/24 on the other side of the tunnel, you could have a static route of 192.168.2.0 255.255.255.0 tunnel1. Since you know how to get to the other network, you don't need nat. NAT is needed for when your destination network, like the internet, doesn't know how to get to your source network and you have to nat to an IP that the next hop knows how to get to.

HTH,

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎11-08-2012

Hi John,

Thanks for reply.

1>So when we use tunnel to connect to other side then we use static route only or can we use routing protocol over the tunnel

to get to other side?

2>Also say if side A has IP 192.168.2.0

Side B has IP 192.168.3.0

Then Tunnel interface on A or B side should have Private IP of same subnet as A or B side or it need public IP ?

Thanks

MAhesh

John Blakley · ‎11-08-2012

Mahesh,

You can use a routing protocol if you'd like to run over the tunnel. The two sites will form an adjacency just as they do on a lan/wan segment.

The two sides should have different internal subnets in order to not need nat. If they're are the same, then one side or the other has to nat as to avoid a conflict. In your example, it would be recommended not to nat the connection. 192.168.2.0 would be able to route to 192.168.3.0 and vice versa with no nat needed.

Now there are exceptions to this rule though. One would be if your other end is a large network. That large network may peer with you from a router that has 192.168.1.0/24 as an internal network, but they may have 40 other routes in their routing table that point toward their mpls cloud. They may have 192.168.3.0/24 in their routing table, so they'd require that you translate your subnet to something other than something they have in their routing table. I have p2p ipsec connections that the other end dictated that I nat the connection because I had a subnet that was going to them that was cause a routing issue on their end.

HTH,

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎11-08-2012

Hi John,

Can you please answer this question also

What will Tunnel interface IP on each ends -----any 192.168.x.x IP or it has to be public?

Thanks

MAhesh

John Blakley · ‎11-08-2012

It's going to depend on your internal network that you have now. For example, a GRE tunnel will have an ip address on the tunnel interface that can be a /30. Your source interface would be your wan interface and then your destination address would be the other peer's public address:

Router A:

int tu1

ip address 2.2.2.1 255.255.255.252

tunnel source s0/0

tunnel destinat 5.5.5.5

int s0/0

ip address 6.12.1.2 255.255.255.252

int fa0/0

desc LAN

ip addr 192.168.2.1 255.255.255.0

ip route 192.168.3.0 255.255.255.0 tunnel1

Router B:

int tu1

ip address 2.2.2.2 255.255.255.252

tunnel source s0/0

tunnel destin 6.12.1.2

int s0/0

ip addr 5.5.5.5 255.255.255.0

int fa0/0

ip addr 192.168.3.1 255.255.255.0

ip route 192.168.2.0 255.255.255.0 tunnel1

HTH,

John

HTH, John *** Please rate all useful posts ***

mahesh18 · ‎11-08-2012

Hi John,

Many thanks for answering all my posts.

Regards

Mahesh

John Blakley · ‎11-08-2012

You're very welcome

HTH, John *** Please rate all useful posts ***