GRE tunnel and NAT

I'm trying to setup a web server behind a NAT router through a GRE tunnel. Here's a quick diagram:

WWW --------(outside) R1 (inside) ========== R2 ------- Web server A B C D

When an http request comes into R1 (s:A, d: B), NAT does its job translates the packet to (s:A, d:D) and ships it over the GRE tunnel to R2. R2 routes it to the web server. So far so good.

Now web server responds back (s:D, d:A), R2 ships the packet to R1 back through the GRE tunnel. When R1 gets the packet from the tunnel, I expected it to NAT again and send out (s:B, d:A) to WWW but instead R1 sends the packet unmodified (s:D, d:A) to WWW.

If I remove the GRE tunnel and simply route the packet from R2 to R1 then NAT works as expected. However I need the GRE tunnel as these web requests need to traverse an internal network to get to the web server.

Does anyone know why NAT source translation is not taking place on the way out (when the packet arrives through the GRE tunnel)?

Here's the config for R1:

ip cef ! ! ! no crypto isakmp enable ! ! interface Tunnel2 description desk-vpn tunnel ip address tunnel source tunnel destination ! interface Loopback0 ip address ! interface FastEthernet0/0 ip address ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address ip nat inside duplex auto speed auto ! ! ip nat inside source static tcp 80 80 extendable ip classless ip route ip route Tunnel2 ! no ip http server no ip http secure-server

Web server is

Thanks in Advance

Reply to
Loading thread data ...

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0D

You need to make the Tunnel a NAT Inside interface. The tunnel is a real interface just like any other and needs to be treated as such.

Quite why nat works at all (half) with the existing config I am not sure. I don't think it should.

Looks like that is a bug but you don't need to worry about it.

Cisco have added a new nat syntax recently (ish) where there is no inside/outside specified but I don't understand it myself. Maybe this is where the router is getting confused.

debug nat is very nice.

Reply to

Fantastic. Worked perfectly. Thanks!!!

This should not impact NAT on interface FastEthernet0/1 (where I also have ip nat inside configured), correct?

The reason I ask is because I see an output like: Router(config-if)#ip nat in Router(config-if)#

*Mar 4 17:23:15.001: ip_ifnat_modified: old_if 2, new_if 0

not sure what old_if and new_if refers to.

Reply to

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0D

I am not really sure what you are asking. Yon can have many nat inside and nat outside interfaces. Nat is performed when a packet goes between an inside an and outside in either direction. Behaviour varies with direction of course. I doubt that an interface can be an inside and an outside at the same time ubt I could be wrong.

It is unlikely that adding the second inside int will affect the first one. Especially since the "pass between inside and outside" test then just send the traffic to the natter whch does not care which interfaces the packets have come from or are going to. There is a very nice document "NAT order of operation". Some of the ipsec components of the order were changed around 12.3.

The NAT interfaces are to do with the new nat config which does not have inside and outside. You seem to get NVIs Nat Virtual Interfaces. I have not bothered to try to understnad it properly since I did some tests with it and found that there are some odd limitations on what you can do with it. I forget now but I basically dismissed it as not fit for production yet.

Maybe something like no nat and ipsec at the same time. Not sure.

Reply to
Bod43 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.