Tunnel over NAT

Similar Messages

• Bridge or Tunnel or NAT ?

  I have design constraint where I have to run same subnet between two locations.
  Site A and B connected via T1 will have hosts in network 1.1.1.0/24 which will need to talk to each other locally and over T1. Routers connected to Site A and site B will also need to talk to the IP network via its another interface. I know I can do it via transparent bridge.I'm trying to find the best option. Can I use Tunnel or NAT will work better? Please advice.
  Thanks.

  Yes you can use nat. I guess u can treat them as overlapping networks. As for tunelling if supported on your routers l2tp v3 is an option see link:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008016108b.html#wp1085956.
  I believe all three options will work but in my opinion in such a simple topology the easiest is irb.

• Tcp mss adjust calculation for GRE tunnel over DSL line

  hi guys,
  need your advice on this one, as i search on cisco.com and netpro but unable to find the exact info that i required.
  First, can anyone confirm the following calculation to find out MSS size.
  Mss size = MTU size - encapsulation size - tcp header size
  So for normal case;
  MSS = 1500 - 48 (48 is the tcp/ip header)
  so MSS = 1452
  Thus in my case GRE tunnel over DSL connection;
  MSS = 1492 - 24 - 48 (24 is the GRE encap; 48 is the tcp/ip header)
  MSS = 1420
  is this correct?
  Secondly, where should the ip tcp mss-adjust to be implemented. Is it at the Dialer(DSL) interface or at Tunnel interface?

  I don't use the math (it doesn't work for me probably b/c I miss something). Here's how I do it-
  C:\>ping 10.125.0.250 -f -l 1600
  Pinging 10.125.0.250 with 1600 bytes of data:
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
  C:\>ping 10.125.0.250 -f -l 1500
  Pinging 10.125.0.250 with 1500 bytes of data:
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
  C:\>ping 10.125.0.250 -f -l 1400
  Pinging 10.125.0.250 with 1400 bytes of data:
  Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 19ms, Maximum = 19ms, Average = 19ms
  C:\>ping 10.125.0.250 -f -l 1450
  Pinging 10.125.0.250 with 1450 bytes of data:
  Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1450 time=20ms TTL=251
  Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 19ms, Maximum = 20ms, Average = 19ms
  C:\>ping 10.125.0.250 -f -l 1475
  Pinging 10.125.0.250 with 1475 bytes of data:
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Packet needs to be fragmented but DF set.
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
  C:\>ping 10.125.0.250 -f -l 1470
  Pinging 10.125.0.250 with 1470 bytes of data:
  Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
  Reply from 10.125.0.250: bytes=1470 time=22ms TTL=251
  Reply from 10.125.0.250: bytes=1470 time=20ms TTL=251
  Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
  Ping statistics for 10.125.0.250:
  Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 19ms, Maximum = 22ms, Average = 20ms
  C:\>
  1470 works and has a little bit of extra room. The tcp mss-adjust should be done on the LAN interface.
  Hope it helps.

• Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

  Hi
  Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
  Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
  The tunnel goes form the 881 to the Windows server (not from the client...).
  Thanks
  Roland

  Hi Federico
  Thanks for your help! Much appreciated.
  In my case this should be transparent to the client - I would like not to initiate the connection from the client.
  Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
  Regards
  Roland

• Unexpected case IPv4 tunnel over IPv6 ?

  hi,
  I wonder if there is one use case one can think of that is not possible with Cisco IOS:
  Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.
  I tried several things in my lab but couldn't get it running.
  I tried to search the net for my use case but I only find the other way round.
  Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?
  Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.
       Svr A                (  )                Svr B
      +----+             , `,( .)              +----+
      |    |   +----+   ( .(  ...)    +----+   |    |
      |    |---| R1 |---`    .....)---| R2 |---|    |
      |    |   +----+    ( ......)    +----+   |    |
      +----+                                   +----+
  10.0.23.1/24          IPv6 only          10.0.42.1/24
                          network

  Same/similar question but the case is instead of Site to Site VPN, it would be using the Cisco VPN Client.  The host on the left side is connected to an IPv6-only network.  They need to communicate with IPv4 devices across the Internet (behind a Cisco ASA).
  Is this possible?
  Cisco VPN Client         (  )                Cisco ASA    +----+             , `,( .)              +----+    |    |   +----+   ( .(  ...)    +----+   |    |    |    |---| R1 |---`    .....)---| R2 |---|    |----IPv4 network    |    |   +----+    ( ......)    +----+   |    |    +----+                                   +----+IPv6-only HOST        IPv6 Network         has IPv6 Interface on public side
  alexander.koeppe wrote:hi,I wonder if there is one use case one can think of that is not possible with Cisco IOS:Establish a IPsec tunnel over an IPv6 network tranporting both IPv4 and Ipv6 traffic. Even IPsec tunnel over an IPv6 network transporting IPv4 only does not work.I tried several things in my lab but couldn't get it running.I tried to search the net for my use case but I only find the other way round.Question: is it possible to achieve connectivity of the following IPv4 addresses over an IIPsec tunnel over Ipv6 network?Ultimately, the same tunnel should be capable transporting both. A dedicated Tunnel for IPv4 and IPv6 tunnel on the same routers would also be OK.                           ,_     Svr A                (  )                Svr B     +----+             , `,( .)              +----+    |    |   +----+   ( .(  ...)    +----+   |    |     |    |---| R1 |---`    .....)---| R2 |---|    |     |    |   +----+    ( ......)    +----+   |    |     +----+                                   +----+ 10.0.23.1/24          IPv6 only          10.0.42.1/24                        network

• Gre tunnel over 2 mpls routers

  I have 2 sites and the voice server is in site A and Site B are the remote phones . Right now voice vlan go over the DMVPN we are facing some degraded performance and decided to move voice traffic to mpls . 
  We need to carry the multicast traffic as well which is not supported over our MPLS circuit. I have no idea why provider is not supporting multicast traffic over mpls circuit.
  So we decided to create GRE tunnels to carry multicast traffic over MPLS .We have L3 switches on both sites Site A cisco 4500 and Site B cisco 3850  . and MPLS connectivity is reachable upto L3 core switches. With 3850 we had issue to create tunnels and i have upgraded the IOS after upgrading i came to know no more tunnels are supported on 3850. So cannot have Gre tunnel between our L3 switches over the MPLS.
  My Question is can i ask the MPLS provider to setup tunnels on their routers which they are ready to help and point the static routes for voice vlan towards gre tunnels over mpls . 
  Can you advise any other solution or does this solution would work.?

  Aneesh,
  Lost of connectivity between the two PEs would indeed cause the GRE tunnel interface to go down, assuming that you configure tunnel keepalives as follow:
  int tu0
  keepalive
  Regards

• SNA tunnel over GRE tunnel

  Is it possible?.
  Configure SNA tunnel over GRE tunnel

  To my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.

• JMS Issues over NAT IP in weblogc 10.3

  Dear Tom B,
  We have an issue in connecting to the JMS TOPIC's over NAT IP. Pls note the application has Applets/Swing and hence use Thin Client jars for communicating it with weblogic server. We are getting the following exception when we try to look up using the Natted IP.
  Exception at MessagingServiceFactory :::weblogic.jms.common.JMSException: [JMSClientExceptions:055054]Error finding dispatcher: weblogic.messaging.dispatcher.DispatcherException: Could not register a DisconnectListener for [IOR:0000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a30303030303030303030303030303030000000000000010000000000000208000102000000000d3137322e31362e31372e313000001f6a000000f800424541080103000000000b74726561737572792d3100000000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a303030303030303030303030303030300000000000000432363800000000024245412a0000001000000000000000007667e38aea8d58524245410b00000068000000000000006000005d7765626c6f6769632e6d6573736167696e672e646973706174636865722e4469737061746368657252656d6f74653a7765626c6f6769632e6d6573736167696e672e646973706174636865722e446973706174636865724f6e6557617900000005000000010000002c0000000000010020000000030001002000010001050100010001010000000003000101000001010905010001000000190000003b0000000000000033687474703a2f2f3137322e31362e31372e31303a383034322f6265615f776c735f696e7465726e616c2f636c61737365732f00000000001f000000040000000300000020000000040000000100000021000000580001000000000001000000000000002200000000004000000000000806066781020101010000001f0401000806066781020101010000000f7765626c6f67696344454641554c540000000000000000000000000000000000] for treasury-1
  weblogic.jms.common.JMSException: [JMSClientExceptions:055054]Error finding dispatcher: weblogic.messaging.dispatcher.DispatcherException: Could not register a DisconnectListener for [IOR:0000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a30303030303030303030303030303030000000000000010000000000000208000102000000000d3137322e31362e31372e313000001f6a000000f800424541080103000000000b74726561737572792d3100000000000000000042524d493a7765626c6f6769632e6d6573736167696e672e646973706174636865722e44697370617463686572496d706c3a303030303030303030303030303030300000000000000432363800000000024245412a0000001000000000000000007667e38aea8d58524245410b00000068000000000000006000005d7765626c6f6769632e6d6573736167696e672e646973706174636865722e4469737061746368657252656d6f74653a7765626c6f6769632e6d6573736167696e672e646973706174636865722e446973706174636865724f6e6557617900000005000000010000002c0000000000010020000000030001002000010001050100010001010000000003000101000001010905010001000000190000003b0000000000000033687474703a2f2f3137322e31362e31372e31303a383034322f6265615f776c735f696e7465726e616c2f636c61737365732f00000000001f000000040000000300000020000000040000000100000021000000580001000000000001000000000000002200000000004000000000000806066781020101010000001f0401000806066781020101010000000f7765626c6f67696344454641554c540000000000000000000000000000000000] for treasury-1
    at weblogic.jms.client.JMSConnectionFactory.setupJMSConnection(JMSConnectionFactory.java:266)
    at weblogic.jms.client.JMSConnectionFactory.createConnectionInternal(JMSConnectionFactory.java:285)
    at weblogic.jms.client.JMSConnectionFactory.createTopicConnection(JMSConnectionFactory.java:184)
  I read your other thread Weblogic JMS port usage! where you have said a special -D property might be required, but I could not get the exact property for us to try it out.
  Request your advise.
  Regards
  Suresh.

  Hi ,
  Would you be able to explain what are you trying to do , what is failing along with tha stack trace please?
  Presumably, you have got JMS modules -> JMS Topic created and all assigned/targetted to the Managed server instances?  Are you having trouble connecting/subscribing to that topic from your client code? if so, where does your client code execute from .. I mean is that on the same host as weblogic server ?
  from the host that has your client code - try ping / nslookup /tracert to weblogic host and see if thats resolved in the first place.
  HTH
  Sri

• L2 tunneling over IP: Which features on Cat6807 w. Sup2T/Cat6880 do support this?

  Hi,
  does anybody know how I can run point-to-point and point-to-multipoint l2 tunnels over an ip backbone based on Cat68K without MPLS?
  Afaik L2TP isn't supported.
  I found some information about "Layer 2 over Multipoint GRE" but I cannot estimate if that's a recommended solution because the documentation is quite brief (http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/L2omGRE.html).
  Best Regards,
  Thorsten Steffen

  Hi,
  If you are using Sup-2T, it supports VPLS. You can use it to create a point-to-multipoint l2 tunnel.
  Have a look at this doc for more info:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11-663645.html
  HTH

• ISCSI over NAT

  Hi 
  I see that is is not possible with a standard config to connect to a MS ISCSI target over NAT , are there any special tricks to getting the external IP and not the internal.
  Dave

  Hi 
  I see that is is not possible with a standard config to connect to a MS ISCSI target over NAT , are there any special tricks to getting the external IP and not the internal.
  Dave
  Connecting from inside a VM should do the trick.
  StarWind Virtual SAN clusters Hyper-V without SAS, Fibre Channel, SMB 3.0 or iSCSI, uses Ethernet to mirror internally mounted SATA disks between hosts.

• Stratus tunneling over ports 443 and/or 80

  Would it be possible to have Stratus listen on ports 443 and
  80; and would Flash Player 10 indeed fall back to those ports, as
  with FMS?
  I am dealing with a customer who has difficulty opening 1935
  due to corporate policies.
  I have no information about port 10000+. Hopefully they pose
  no problem.
  Kind Regards,
  Frans

  The older RTMP operates over TCP port 1935 and falls back to
  tunneling over 443 and/or 80.
  The newer RTMFP uses UDP and requires the ability to make
  outbound connections to 1935 and also higher port numbers in order
  to establish a server connection.
  Running over port 443 and 80 UDP wouldn't help, the firewall
  is likely configured to open up TCP 443 (HTTPS) and TCP 80 (HTTP)
  while still blocking UDP.
  If your application needs to work in the presence of
  UDP-blocking firewalls (and note that we do several things to get
  through them, if they do allow internally-initiated UDP sessions),
  you'll need to code your own fallback to a TCP protocol like RTMP
  or HTTP.

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• Accessing File Shares Over NAT

  Hello,
  I am working with a client that set up a new sub net that uses hide NAT. When I try to access a file share on a server in a different sub net, I can only browse for a few seconds and then an error such as "Server service not started" or "network
  name no longer available" appears, and I can't browse folders on that server anymore (it has Server 2003 SP2). Netmon found that the connection was constantly being reset. If I reconfigure the same client (XP SP3) with it's original unNATed IP address,
  everything works fine, and the Windows firewall is disabled on both the server and client. Is there a trick to get CIFS or SMB or whatever to work over hide NAT?
  Thanks!

  Hi,
  SMB uses a single session for a pair of IPs and all file transfer between these 2 IPs are made over this session. This makes the file transfer more efficient over the network. On the flip side, since only one SMB session is maintained, clients coming through
  NAT will have problems since all these clients are presented as a single IP to the server. With SMB, only a single session will be maintained and thus there is nothing unique for each client. This breaks the communication.
  We will need to use NetBIOS over TCPIP in place of SMB. This can be achieved by:
  1. Disabling SMB on the server or on all the client machines by setting the registry:
  Name: SMBDeviceEnabled
  Type: REG_DWORD
  Value: 0
  The location of the registry key is:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters. You may have to create this if not already existing.
  2. Block TCP port 445 for the segment accessing shares through NAT
  TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

• Services over NAT

                     Hi,
  I am trying to conect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
  My question is
  1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?
  2- Has anyone running this kind of network and provide sample config for ASA 5520?
  Regsrds,

  Hi,
  I suggest doing NAT on both sites.
  For Site A with ASA running 8.4 software the NAT configuration might look something like this
  Base Information
  Site A LAN: 192.168.1.0/24
  Site A LAN NAT: 10.1.1.0/24
  Site B LAN (NAT): x.x.x.x/24
  Site A LAN interface = inside
  Site A WAN interface = outside
  Configuration
  object network LAN-LOCAL
    subnet 192.168.1.0 255.255.255.0
  object network LAN-NAT
    subnet 10.1.1.0 255.255.255.0
  object network REMOTE-LAN
    subnet x.x.x.x 255.255.255.0
  nat (inside,outside) source static LAN-LOCAL LAN-NAT destination static REMOTE-LAN REMOTE-LAN
  What the above configuration will do is
  Do NAT between interfaces "inside" and "outside"
  When Site A users connect from their LAN-LOCAL to REMOTE-LAN their NAT IP address will be LAN-NAT This works both ways. When Site B REMOTE-LAN connect to LAN-NAT they will reach LAN-LOCAL of Site A
  Also notice that since you are using this type of NAT that every LOCAL and NAT address will match eachother regarding the last portion of the IP address
  192.168.1.1 = 10.1.1.1
  192.168.1.2 = 10.1.1.2
  192.168.1.3 = 10.1.1.3
  etc
  As I said before I would suggest you ask the Site B admin to also NAT their local LAN 192.168.1.0/24 to something and then you can use that network range and insert to the above configuration to the place of x.x.x.x.
  Please rate if you found the information helpfull
  Also ask more if needed
  - Jouni

• Vpn tunnels and Nat on Cisco soho 91 routers ??

  Is it possible to create the following, using the soho 91 routers:
  Router A (192.168.1.0) network
  E0 192.168.1.250
  E1 external ip (world ip)
  Router B (192.168.99.0) network
  E0 192.168.99.1
  E1 external ip (world ip)
  Router C (192.168.103.0) network
  E0 192.168.103.1
  E1 external ip (world ip)
  tunnel1 = from Router A to Router B
  tunnel2 = from Router A to Router C
  on Router A
  ip route 192.168.2.0 255.255.255.0 192.168.1.2
  ip route 192.168.3.0 255.255.255.0 192.168.1.3
  ip route 192.168.4.0 255.255.255.0 192.168.1.4
  ip route 192.168.99.0 255.255.255.0 to-tunnel1
  ip route 192.168.103.0 255.255.255.0 to-tunnel2
  ip route nat (everything thing else)
  on Router B
  ip route 192.168.1.0 255.255.255.0 to-tunnel1
  ip route 192.168.103.0 255.255.255.0 to-tunnel1
  ip route nat (everything else)
  on Router C
  ip route 192.168.1.0 255.255.255.0 to-tunnel2
  ip route 192.168.103.0 255.255.255.0 to-tunnel2
  ip route nat (everything else)
  Thanks.
  Wayne

  I assume you are using GRE tunnel and not IPSec. If GRE tunnel, the configuration looks OK except for Router C. The "ip route 192.168.103.0 255.255.255.0 to-tunnel2" should be "ip route 192.168.99.0 255.255.255.0 tunnel2 " pointing to the network connected to Router B. Also the correct command should not have "to-tunnel1", it is simply "tunnel1"