Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Donate Today!

Do you enjoy these
technical forums?
Donate Today! Click Here

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Routing a private IP through the public cloudHelpful Member! 

LingaringBell (IS/IT--Management)
25 Feb 10 18:43
I have two buildings, lets call them A and B.  The buildings are connected by a T1 PTP.  Each building also has a few public internet gateways, so all the users in Building A reach the internet through the gateways in Building A and vice-versa.  Occasionally, the PTP between the buildings goes down, so then users in Building A can't communicate with the users in Building B (duh).  I'm looking for an idea to get the two buildings communicating again by using the gateways instead of the PTP.  Here is what I have tried:

1.) Tried to route private IPs to public IPs (I'm pretty sure this is impossible, but I've been wrong before)

Example:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

On Router A  I put a static route that says:

ip route 192.168.2.0 255.255.255.0 2.2.2.2

and then vice versa on Router B.

Now I'm pretty sure this won't work (and it hasn't in my tests), but I've never really understood why not.

2.)  Use NAT

This idea is easy if I am trying to re-route a single IP address, but I'm not sure how to do it for a whole subnet range.

Example:

Router in Building A has public IP 1.1.1.1
Has IP address 1.1.1.2 directed towards it
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Private LAN in Building B is 192.168.2.0/24

Then lets say I want to let Building B connect to IP address 192.168.1.5

On router B I put a NAT rule that says:

ip nat outside source static 1.1.1.2 192.168.1.5

and on Router A I put a NAT rule that says:
ip nat inside source static 192.168.1.5 1.1.1.2

This works fine, but can I do it for a whole subnet?  I've never tried to use the "source network" command with a NAT outside rule.  Will this even work?

If anyone has any better ideas, I'm all ears.  Thanks for reading this long post.
-Bell
Helpful Member!  Cluebird (Instructor)
25 Feb 10 20:00
Some options:

1. Use PAT (NAT overload in Cisco-lingo).
2. GRE Tunnel
3. IP/IP Tunnel
4. IPSec Tunnel
5. GRE/IPSec Tunnel

How complex and secure do you need it? Also, host many inside hosts? I'd do PAT based on what you say.

HTH
LingaringBell (IS/IT--Management)
25 Feb 10 20:59
Thanks for the suggestions, I've never set up a tunnel before so I think I'll try PAT.  Honestly though, I am kind of confused about how this will work, since in essence, I need to go from private IP, to public IP, to private again.  If I go back to my example of:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24

On router A, would I put in:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat outside source list 1 pool mypool overload

But then what do I put on router B?  If I had to guess it would be:

ip nat pool mypool 2.2.2.3 2.2.2.3 prefix 30
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 pool mypool overload


But I feel like I'm missing a point somewhere.

To answer your other questions, it does not have to be complex or secure (though complex is always fun).  I have roughly 150-200 hosts in each building.  Thanks for you help.
-Bell
 
unclerico (IS/IT--Management)
25 Feb 10 22:30
honestly, i'd run a GRE over IPSec tunnel and run OSPF, RIP, or EIGRP across both the PtP link as well as the GRE/IPSec tunnel. this way the routing protocol will dynamically reroute your traffic should the private link go down.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

Cluebird (Instructor)
25 Feb 10 22:44
For PAT, I'd do the inside source this way which may be easier (I'll assume a serial0/0 interface for the WAN side since you didn't specify what you're using:

A

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
 ip nat inside
interface s0/0
 ip nat outside

B
access-list 1 permit 192.168.2.0 0.0.0.255

ip nat inside source list 1 interface s0/0 overload

ip route 0.0.0.0 0.0.0.0 s0/0

interface f0/0
 ip nat inside
interface s0/0
 ip nat outside

There are lots of variations with NAT/PAT, but this is about the easiest way to make it work.

HTH

 
LingaringBell (IS/IT--Management)
25 Feb 10 23:03
unclerico, could you recommend some good reading on setting up a GRE over IPsec tunnel?

Cluebird, I don't think what you are suggesting is correct, or you are misunderstanding what I'm asking.  If you look at my example again for the routers:

Router in Building A has public IP 1.1.1.1
Private LAN in Building A is 192.168.1.0/24

Router in Building B has public IP 2.2.2.2
Has IP address 2.2.2.3 directed towards it
Private LAN in Building B is 192.168.2.0/24


If I put in your commands I would just be setting up a standard incoming NAT pool.  What I want is to have the devices in building A, on LAN 192.168.1.0/24, to be able to get to devices in building B, on LAN 192.168.2.0/24.  So, in building A I need to have a NAT rule that takes any addresses on 192.168.2.0/24 and translates them into a public IP, so they can go out into the public net, and get to the WAN interface of router B.  And then they need to be changed back into their proper private IPs at that point.

As in my original post, I still don't really understand why I can't just use a static route on router A that looks like:

ip route 192.168.2.0 255.255.255.0 2.2.2.2
 
burtsbees (Programmer)
25 Feb 10 23:41
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

I agree---with a GRE tunnel, you can pass any protocol through, and with IPSEC, you'll be protected against several types of attacks (including man-in-the-middle, which in your situation you'd be somewhat vulnerable).

I'd give Uncle a star too---I think he hit it right on the head. Of course, Clue deserves his props as well;)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree       
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

Cluebird (Instructor)
25 Feb 10 23:54
Based on your clarification, it sounds more like the tunnel mechanism would be more helpful for you as unclerico mentioned. What router models are you using? If you have SDM, there is a wizard that will step you through exactly this solution for the routers.

Here's a link to the design guide:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008073a0c5.pdf

HTH

 
LingaringBell (IS/IT--Management)
26 Feb 10 0:10
I have a 1700 and 1800 series.  A question about a GRE Tunnel that I didn't think of before.  If I set up a tunnel on an internet line, can that line only be used for the tunnel and not other normal outbound traffic?
Cluebird (Instructor)
26 Feb 10 8:08
Absolutely not. The link can carry tunneled or non-tunneled traffic. You choose what goes through the tunnel by defining ACLs.
Minue (TechnicalUser)
27 Feb 10 8:13
Hello
   Have you resolve your problem?If not I am willing to give you hand with the design and configuration.You could start with a GRE tunnel that will kick in when the primary link goes down.Once it's up and running we can throw in IPSEC for security.

Best regards

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close