Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Routing a private IP through the public cloud 1

Status
Not open for further replies.
LingaringBell

LingaringBell

IS-IT--Management
Mar 13, 2009
30
US
I have two buildings, lets call them A and B. The buildings are connected by a T1 PTP. Each building also has a few public internet gateways, so all the users in Building A reach the internet through the gateways in Building A and vice-versa. Occasionally, the PTP between the buildings goes down, so then users in Building A can't communicate with the users in Building B (duh). I'm looking for an idea to get the two buildings communicating again by using the gateways instead of the PTP. Here is what I have tried:

1.) Tried to route private IPs to public IPs (I'm pretty sure this is impossible, but I've been wrong before)

Example:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

On Router A I put a static route that says:

ip route 192.168.2.0 255.255.255.0 2.2.2.2

and then vice versa on Router B.

Now I'm pretty sure this won't work (and it hasn't in my tests), but I've never really understood why not.

2.) Use NAT

This idea is easy if I am trying to re-route a single IP address, but I'm not sure how to do it for a whole subnet range.

Example:

Router in Building A has public IP 1.1.1.1
Has IP address 1.1.1.2 directed towards it
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

Then lets say I want to let Building B connect to IP address 192.168.1.5

On router B I put a NAT rule that says:

ip nat outside source static 1.1.1.2 192.168.1.5

and on Router A I put a NAT rule that says:
ip nat inside source static 192.168.1.5 1.1.1.2

This works fine, but can I do it for a whole subnet? I've never tried to use the "source network" command with a NAT outside rule. Will this even work?

If anyone has any better ideas, I'm all ears. Thanks for reading this long post.
-Bell
 
Sort by date Sort by votes
Some options:

1. Use PAT (NAT overload in Cisco-lingo).
2. GRE Tunnel
3. IP/IP Tunnel
4. IPSec Tunnel
5. GRE/IPSec Tunnel

How complex and secure do you need it? Also, host many inside hosts? I'd do PAT based on what you say.

HTH
 
Upvote 0 Downvote
Thanks for the suggestions, I've never set up a tunnel before so I think I'll try PAT. Honestly though, I am kind of confused about how this will work, since in essence, I need to go from private IP, to public IP, to private again. If I go back to my example of:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24

On router A, would I put in:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat outside source list 1 pool mypool overload

But then what do I put on router B? If I had to guess it would be:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 pool mypool overload


But I feel like I'm missing a point somewhere.

To answer your other questions, it does not have to be complex or secure (though complex is always fun). I have roughly 150-200 hosts in each building. Thanks for you help.
-Bell
 
Upvote 0 Downvote
honestly, i'd run a GRE over IPSec tunnel and run OSPF, RIP, or EIGRP across both the PtP link as well as the GRE/IPSec tunnel. this way the routing protocol will dynamically reroute your traffic should the private link go down.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
For PAT, I'd do the inside source this way which may be easier (I'll assume a serial0/0 interface for the WAN side since you didn't specify what you're using:

A

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
ip nat inside
interface s0/0
ip nat outside

B
access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
ip nat inside
interface s0/0
ip nat outside

There are lots of variations with NAT/PAT, but this is about the easiest way to make it work.

HTH

 
Upvote 0 Downvote
unclerico, could you recommend some good reading on setting up a GRE over IPsec tunnel?

Cluebird, I don't think what you are suggesting is correct, or you are misunderstanding what I'm asking. If you look at my example again for the routers:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24


If I put in your commands I would just be setting up a standard incoming NAT pool. What I want is to have the devices in building A, on LAN 192.168.1.0/24, to be able to get to devices in building B, on LAN 192.168.2.0/24. So, in building A I need to have a NAT rule that takes any addresses on 192.168.2.0/24 and translates them into a public IP, so they can go out into the public net, and get to the WAN interface of router B. And then they need to be changed back into their proper private IPs at that point.

As in my original post, I still don't really understand why I can't just use a static route on router A that looks like:

ip route 192.168.2.0 255.255.255.0 2.2.2.2
 
Upvote 0 Downvote

I agree---with a GRE tunnel, you can pass any protocol through, and with IPSEC, you'll be protected against several types of attacks (including man-in-the-middle, which in your situation you'd be somewhat vulnerable).

I'd give Uncle a star too---I think he hit it right on the head. Of course, Clue deserves his props as well;)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Upvote 0 Downvote
I have a 1700 and 1800 series. A question about a GRE Tunnel that I didn't think of before. If I set up a tunnel on an internet line, can that line only be used for the tunnel and not other normal outbound traffic?
 
Upvote 0 Downvote
Absolutely not. The link can carry tunneled or non-tunneled traffic. You choose what goes through the tunnel by defining ACLs.
 
Upvote 0 Downvote
Hello
Have you resolve your problem?If not I am willing to give you hand with the design and configuration.You could start with a GRE tunnel that will kick in when the primary link goes down.Once it's up and running we can throw in IPSEC for security.

Best regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
128
Pankaj88
Pankaj88
woza
  • Locked
  • Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
210
DrB0b
DrB0b
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
402
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
113
bfordz
bfordz
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
162
jarod_paris
jarod_paris

Part and Inventory Search

Sponsor

Back
Top