Urgent: NAT

Unanswered Question
Jul 19th, 2007

Hi,

I have a router in the center and have 10 Remote-sites that use the same subnet

Remote-site 1 : Subnet 192.168.1.0/24

Remote-site 2 : Subnet 192.168.1.0/24

Remote-site 3 : Subnet 192.168.1.0/24

and so on

Ist there any way to connect to these subnets at the same time from the same router using VPN Tunnels ?.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Thu, 07/19/2007 - 13:44

You would need to run NAT at each of the remote sites. That would prevent you having connectivity between remote sites, so I suggest you renumber them to have different subnets, and configure NAT to access the Internet at central site only.

Hope this helps, please rate post if it does!

giaaaj Thu, 07/19/2007 - 13:53

Thanks for replaying paolo,

The installations at the remote site can not be changed. What about if i use different ipsec virtual interfaces ( a Virtual interface for each connection ) and do route-map based NAT . Will this work?

Thx

Ali

Paolo Bevilacqua Thu, 07/19/2007 - 14:35

Honestly I don't see how that would work. It has been a bad design in first place to give the same address to all the locations if these were meant to communicate.

Jon Marshall Thu, 07/19/2007 - 18:46

Hi

As Paolo says it's not a good design to have the same subnet at each location but i think the answer to your question is yes it can be done but it's messy.

For each remote subnet you need to NAT this to some other unique subnet range eg.

Remote site 1 192.168.1.0/24 -> 172.16.1.0/24

Remote site 2 192.168.2.0/24 -> 172.16.2.0/24

etc.

The NAT translations will have to be done on each remote site router.

Then you create your VPN tunnels based on the translated addresses.

From the HQ site to talk to 192.168.1.10 at site 1 you would use the address 172.16.1.10.

To talk to 192.168.1.10 at site 2 you would use the address 172.16.2.10.

The spokes could also talk to each other with thus ie.

site 1 192.168.1.10 talks to site 2 192.168.1.10

becomes

site 1 172.16.1.10 talks to site 2 172.16.2.10

This will work but as i say it is very messy and NAT can and does break certain applications.

I appreciate what you say about not being able to change addresses but the amount of extra configuration and complexity needed to make this work would make readdressing the far simpler option.

HTH

Jon

Actions

This Discussion