Overlapping address spaces and VPN

Answered Question
Aug 19th, 2007

I'm trying to get setup a VPN to allow a business-parter access to our network. The problem is that the partner use the same private address space as we do.

I'm trying to figure out how to translate NAT their internal address to a different address as the packets come out of the VPN tunnel.

There is a Visio Doc attached that shows "US" and THEM. The "THEM" side does not use real IPs, I made this drawing because I'm getting an example set up in a Lab environment, so I picked random numbers for the "THEM" Ips.

The PC(s) from the partner need access to two PCs on my side. I got it working to the point that the VPN tunnel comes up between the two PIX501s, and translated the destination IP into a private IP, but need help translating the remote source IPs into private IPs.

Here's some output from the PIX on the "US" (My side).

Inbound ICMP echo request (len 32 id 2 seq 44033) 10.150.100.100 > 216.x.x.x > 10.220.2.10

The source of the packet is sent to the 216.x.x.x address then translated to its real internal address of 10.220.2.10. I need to translate the 10.150.100.100 address to somthing else, so it doesnt mess up my network. Ideas? I'm a PIX n00b. Thanks in advance.

Attachment: 
Correct Answer by Jon Marshall about 9 years 6 months ago

Hi

Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10

static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255

If you need to do a pool of source addresses you could do

nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 08/19/2007 - 10:53

Hi

Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10

static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255

If you need to do a pool of source addresses you could do

nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10

HTH

Jon

longusernamessuck Fri, 08/24/2007 - 00:46

In my configuration, I tried

static (outside,inside) 192.168.16.90 10.18 netmask 255.255.255.255

which landed me with the following xlate:

Global 192.168.16.90 Local 10.0.0.18

At this point, my colleague at 10.18 lost all connectivity. No more internet... :)

How do you make the translation less intrusive?

rtjensen4 Fri, 08/24/2007 - 05:28

I'm not too sure how NAT statements are handled, but would it work to do the following:

global (inside) 3 192.168.4.10-192.168.4.15 netmask 255.255.255.0

nat(outside) 3 10.150.0.0 255.255.255.0 outside //Translates 10.150.0.0 comming through VPN tunnel to the range 192.168.4.10-15

nat(outside) 0 0.0.0.0 0.0.0.0 0 0 //Skips the translate on anything else.

Actions

This Discussion