Overlapping address spaces and VPN

Answered Question
Aug 19th, 2007
User Badges:
  • Bronze, 100 points or more

I'm trying to get setup a VPN to allow a business-parter access to our network. The problem is that the partner use the same private address space as we do.

I'm trying to figure out how to translate NAT their internal address to a different address as the packets come out of the VPN tunnel.


There is a Visio Doc attached that shows "US" and THEM. The "THEM" side does not use real IPs, I made this drawing because I'm getting an example set up in a Lab environment, so I picked random numbers for the "THEM" Ips.

The PC(s) from the partner need access to two PCs on my side. I got it working to the point that the VPN tunnel comes up between the two PIX501s, and translated the destination IP into a private IP, but need help translating the remote source IPs into private IPs.


Here's some output from the PIX on the "US" (My side).

Inbound ICMP echo request (len 32 id 2 seq 44033) 10.150.100.100 > 216.x.x.x > 10.220.2.10


The source of the packet is sent to the 216.x.x.x address then translated to its real internal address of 10.220.2.10. I need to translate the 10.150.100.100 address to somthing else, so it doesnt mess up my network. Ideas? I'm a PIX n00b. Thanks in advance.



Attachment: 
Correct Answer by Jon Marshall about 9 years 10 months ago

Hi


Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10


static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255


If you need to do a pool of source addresses you could do


nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Sun, 08/19/2007 - 10:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10


static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255


If you need to do a pool of source addresses you could do


nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10


HTH


Jon

longusernamessuck Fri, 08/24/2007 - 00:46
User Badges:

In my configuration, I tried


static (outside,inside) 192.168.16.90 10.18 netmask 255.255.255.255


which landed me with the following xlate:

Global 192.168.16.90 Local 10.0.0.18


At this point, my colleague at 10.18 lost all connectivity. No more internet... :)


How do you make the translation less intrusive?

rtjensen4 Fri, 08/24/2007 - 05:28
User Badges:
  • Bronze, 100 points or more

I'm not too sure how NAT statements are handled, but would it work to do the following:

global (inside) 3 192.168.4.10-192.168.4.15 netmask 255.255.255.0


nat(outside) 3 10.150.0.0 255.255.255.0 outside //Translates 10.150.0.0 comming through VPN tunnel to the range 192.168.4.10-15

nat(outside) 0 0.0.0.0 0.0.0.0 0 0 //Skips the translate on anything else.

Actions

This Discussion