Duplicate Remote Lan Subnets VPN

Answered Question
May 22nd, 2007

Hello Experts,

I have 2 duplicate REMOTE lans connecting via VPN with the ip address of 192.168.70.X and 192.168.70.x

One is already working but I don't know how to add the second one which is enumerated

exactly the same. Not quite sure on how to apply the NAT on my Local Router for the second duplicate subnet.

I found this article but it talks about duplicate lans on both sides and it does NOT apply

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Is there anything similar but with 2 REMOTE LAN Subnets?

Thanks,

Randall

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 6 months ago

Hi Randall

AFAIK you will have to do it on the remote end. The problem is that if you have the same address eg 192.168.1.70 arriving from both sites at the same time VPN device at your end will get very confused as to where the return traffic should go.

You can NAT the source IP addresses on your local router for one set of the 192.168.70.x addresses but i still think the VPN device would not be able to determine which tunnel to send the traffic down on the return path.

I appreciate it's not always easy to get the 3rd party to do something but i think this is your only choice.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 05/22/2007 - 22:43

Hi Randall

You will need to NAT one of the 192.168.70.x subnets at the remote end so by the time they reach your VPN device they are not seen as 192.168.70.x.

You can either do a one for one NAT you could choose a subnet that is not in use anywhere else on your network eg

192.168.5.0/24

and then setup a NAT pool on the remote device that translates any 192.168.70.x address to a 192.168.5.x address.

Or

You can hide all the 192.168.70.x addresses behind one address at the remote end.

Either way you need to ensure that by the time the traffic reaches your VPN device the source addresses are no longer 192.168.70.x addresses.

HTH

Jon

ranbeckycr Wed, 05/23/2007 - 05:20

Hi Jon,

Thanks for your time on the response. Based on your description I pretty much need to fix the NAT on the REMOTE End Router and NOT the local router.

Is there any way that we can make this happen on the Local Router since I don't have control over the Remote End since it is a Third Party?

Thanks,

Randall

Correct Answer
Jon Marshall Wed, 05/23/2007 - 05:28

Hi Randall

AFAIK you will have to do it on the remote end. The problem is that if you have the same address eg 192.168.1.70 arriving from both sites at the same time VPN device at your end will get very confused as to where the return traffic should go.

You can NAT the source IP addresses on your local router for one set of the 192.168.70.x addresses but i still think the VPN device would not be able to determine which tunnel to send the traffic down on the return path.

I appreciate it's not always easy to get the 3rd party to do something but i think this is your only choice.

HTH

Jon

Jon Marshall Wed, 05/23/2007 - 05:38

Randall

Just a quick thought. Are the local subnets that the remote sites are accessing the same subnets or hosts ?. if there was no overlap between the local hosts/subnets that were being accessed then you could try doing NAT at your end.

Still not entirely sure it would work.....

Jon

Actions

This Discussion