Urgent: NAT

Unanswered Question
Jul 19th, 2007
User Badges:

Hi,

I have a router in the center and have 10 Remote-sites that use the same subnet

Remote-site 1 : Subnet 192.168.1.0/24

Remote-site 2 : Subnet 192.168.1.0/24

Remote-site 3 : Subnet 192.168.1.0/24

and so on

Ist there any way to connect to these subnets at the same time from the same router using VPN Tunnels ?.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Thu, 07/19/2007 - 13:44
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You would need to run NAT at each of the remote sites. That would prevent you having connectivity between remote sites, so I suggest you renumber them to have different subnets, and configure NAT to access the Internet at central site only.


Hope this helps, please rate post if it does!

giaaaj Thu, 07/19/2007 - 13:53
User Badges:

Thanks for replaying paolo,

The installations at the remote site can not be changed. What about if i use different ipsec virtual interfaces ( a Virtual interface for each connection ) and do route-map based NAT . Will this work?


Thx


Ali

paolo bevilacqua Thu, 07/19/2007 - 14:35
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Honestly I don't see how that would work. It has been a bad design in first place to give the same address to all the locations if these were meant to communicate.

Jon Marshall Thu, 07/19/2007 - 18:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


As Paolo says it's not a good design to have the same subnet at each location but i think the answer to your question is yes it can be done but it's messy.


For each remote subnet you need to NAT this to some other unique subnet range eg.


Remote site 1 192.168.1.0/24 -> 172.16.1.0/24

Remote site 2 192.168.2.0/24 -> 172.16.2.0/24


etc.


The NAT translations will have to be done on each remote site router.


Then you create your VPN tunnels based on the translated addresses.


From the HQ site to talk to 192.168.1.10 at site 1 you would use the address 172.16.1.10.


To talk to 192.168.1.10 at site 2 you would use the address 172.16.2.10.


The spokes could also talk to each other with thus ie.


site 1 192.168.1.10 talks to site 2 192.168.1.10


becomes


site 1 172.16.1.10 talks to site 2 172.16.2.10


This will work but as i say it is very messy and NAT can and does break certain applications.


I appreciate what you say about not being able to change addresses but the amount of extra configuration and complexity needed to make this work would make readdressing the far simpler option.


HTH


Jon



Actions

This Discussion