Routing a private IP through the public cloud 1

[LingaringBell]

I have two buildings, lets call them A and B. The buildings are connected by a T1 PTP. Each building also has a few public internet gateways, so all the users in Building A reach the internet through the gateways in Building A and vice-versa. Occasionally, the PTP between the buildings goes down, so then users in Building A can't communicate with the users in Building B (duh). I'm looking for an idea to get the two buildings communicating again by using the gateways instead of the PTP. Here is what I have tried:

1.) Tried to route private IPs to public IPs (I'm pretty sure this is impossible, but I've been wrong before)

Example:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

On Router A I put a static route that says:

ip route 192.168.2.0 255.255.255.0 2.2.2.2

and then vice versa on Router B.

Now I'm pretty sure this won't work (and it hasn't in my tests), but I've never really understood why not.

2.) Use NAT

This idea is easy if I am trying to re-route a single IP address, but I'm not sure how to do it for a whole subnet range.

Example:

Router in Building A has public IP 1.1.1.1
Has IP address 1.1.1.2 directed towards it
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

Then lets say I want to let Building B connect to IP address 192.168.1.5

On router B I put a NAT rule that says:

ip nat outside source static 1.1.1.2 192.168.1.5

and on Router A I put a NAT rule that says:
ip nat inside source static 192.168.1.5 1.1.1.2

This works fine, but can I do it for a whole subnet? I've never tried to use the "source network" command with a NAT outside rule. Will this even work?

If anyone has any better ideas, I'm all ears. Thanks for reading this long post.
-Bell

 

[Cluebird]

Some options:

1. Use PAT (NAT overload in Cisco-lingo).
2. GRE Tunnel
3. IP/IP Tunnel
4. IPSec Tunnel
5. GRE/IPSec Tunnel

How complex and secure do you need it? Also, host many inside hosts? I'd do PAT based on what you say.

HTH

 

[LingaringBell]

Thanks for the suggestions, I've never set up a tunnel before so I think I'll try PAT. Honestly though, I am kind of confused about how this will work, since in essence, I need to go from private IP, to public IP, to private again. If I go back to my example of:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24

On router A, would I put in:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat outside source list 1 pool mypool overload

But then what do I put on router B? If I had to guess it would be:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 pool mypool overload


But I feel like I'm missing a point somewhere.

To answer your other questions, it does not have to be complex or secure (though complex is always fun). I have roughly 150-200 hosts in each building. Thanks for you help.
-Bell

 

[unclerico]

honestly, i'd run a GRE over IPSec tunnel and run OSPF, RIP, or EIGRP across both the PtP link as well as the GRE/IPSec tunnel. this way the routing protocol will dynamically reroute your traffic should the private link go down.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Cluebird]

For PAT, I'd do the inside source this way which may be easier (I'll assume a serial0/0 interface for the WAN side since you didn't specify what you're using:

A

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
ip nat inside
interface s0/0
ip nat outside

B
access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
ip nat inside
interface s0/0
ip nat outside

There are lots of variations with NAT/PAT, but this is about the easiest way to make it work.

HTH

 

[LingaringBell]

unclerico, could you recommend some good reading on setting up a GRE over IPsec tunnel?

Cluebird, I don't think what you are suggesting is correct, or you are misunderstanding what I'm asking. If you look at my example again for the routers:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24


If I put in your commands I would just be setting up a standard incoming NAT pool. What I want is to have the devices in building A, on LAN 192.168.1.0/24, to be able to get to devices in building B, on LAN 192.168.2.0/24. So, in building A I need to have a NAT rule that takes any addresses on 192.168.2.0/24 and translates them into a public IP, so they can go out into the public net, and get to the WAN interface of router B. And then they need to be changed back into their proper private IPs at that point.

As in my original post, I still don't really understand why I can't just use a static route on router A that looks like:

ip route 192.168.2.0 255.255.255.0 2.2.2.2

 

[burtsbees]

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

I agree---with a GRE tunnel, you can pass any protocol through, and with IPSEC, you'll be protected against several types of attacks (including man-in-the-middle, which in your situation you'd be somewhat vulnerable).

I'd give Uncle a star too---I think he hit it right on the head. Of course, Clue deserves his props as well

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Cluebird]

Based on your clarification, it sounds more like the tunnel mechanism would be more helpful for you as unclerico mentioned. What router models are you using? If you have SDM, there is a wizard that will step you through exactly this solution for the routers.

Here's a link to the design guide:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf

HTH

 

[LingaringBell]

I have a 1700 and 1800 series. A question about a GRE Tunnel that I didn't think of before. If I set up a tunnel on an internet line, can that line only be used for the tunnel and not other normal outbound traffic?

 

[Cluebird]

Absolutely not. The link can carry tunneled or non-tunneled traffic. You choose what goes through the tunnel by defining ACLs.

 

[Minue]

Hello
Have you resolve your problem?If not I am willing to give you hand with the design and configuration.You could start with a GRE tunnel that will kick in when the primary link goes down.Once it's up and running we can throw in IPSEC for security.

Best regards