network overlapping

Unanswered Question
Nov 1st, 2007

dear all,

i want to establish site to site vpn but both sites are using same IP network, so i have to overlap this. i did configuration but when i try to ping it gets time out. after running commands on router i found out that remote netowrk (vpn) traffic is routed to Internet.

# show ip nat translation

icmp 10.5.125.101:1 10.10.10.63:1 67.15.104.48:1 67.15.104.48:1

udp 10.5.125.101:16618 10.10.10.63:16618 192.168.1.100:5060 192.168.1.100:5060

currently i did source nating using 10.5.125.101. where as my local ip address is 10.10.10.63.

my router config is

crypto isakmp key xxx

address 210.19.20.12 no-xauth

crypto map worldnow 23 ipsec-isakmp

set peer 210.19.20.12

set transform-set world

match address 193

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 202.x.x.10 255.255.255.252

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1375

duplex auto

speed auto

crypto map world

interface FastEthernet1

ip address 10.10.10.1 255.255.255.0

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

ip nat pool netover 10.5.125.101 10.5.125.101 prefix-length 24

ip nat inside source list 7 pool netover

access-list 7 permit 10.10.10.62

access-list 7 permit 10.10.10.63

access-list 7 permit 10.10.10.61

access-list 7 permit 10.10.10.64

access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.13.113

access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.1.71

access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.8.1.72

access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.3.22.51

access-list 193 permit ip 10.10.10.0 0.0.0.255 host 10.5.3.101

Any idea to solve this.

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 11/01/2007 - 03:08

Hi

It's a little unclear what the exact problem is from your description. Could you have a look at the following document which explains how to setup a site to site VPN between two routers using the same local subnet.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Please come back with any further questions after reading the doc.

HTH

Jon

ammadshah Thu, 11/01/2007 - 22:21

thanks marshall,

this is exactly what i want, but i am unable to understand one point defined in that link.

A NAT pool 172.18.x.x and 172.19.x.x is defined what is the purpose these two pools.

where as my peer site only provided me a single ip address to source nat.

kindly help to resolve this.

thanks.

Jon Marshall Fri, 11/02/2007 - 03:38

Hi

That's fine. if you don't need to use a NAT pool but just one IP address then use that instead. It will still work.

Jon

ammadshah Fri, 11/02/2007 - 04:54

Dear Jon

i read that defined document. this help alot to understand it. but my peer only told me to access their network hosts (only these 10.8.13.113 10.3.22.51 10.5.3.101) using this IP 10.5.125.101.

Can you please tell me what is proper command of "ip nat inside source ...."

thanks,

Jon Marshall Fri, 11/02/2007 - 07:38

Hi

Instead of

ip nat inside source list 7 pool netover

try

ip nat inside source list 193 pool netover

HTH

Jon

sundell810 Fri, 11/02/2007 - 20:16

dont just try, try to understand why it's not working.

create a loopback, send all traffic coming from internal to it, this will get addresses translated , then send them to the wan interface to get encrypted.

good luck

Jon Marshall Sat, 11/03/2007 - 00:55

Hi

When i put "instead of this try that" it was not through a lack of understanding. I would not tell someone to just try and do something if i did not think that was the solution. Perhaps it is just a matter of semantics - maybe you would have been happier if i had said "do this instead". ???

The original poster wants to do conditional NAT and for that his config was using the wrong access-list so he needs to use access-list 193 as this has both source and destination networks in it.

Jon

ammadshah Sun, 11/04/2007 - 22:43

first of all, thanks for all of your help.

but using this also didn't solved my problem.

ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0

ip nat inside source list 193 pool netover

#debut ip nat

#

#sh ip nat trnaslation

#

no output by router

sundell810 Mon, 11/05/2007 - 06:44

Hey, buddy, I didn't mean that, I am sorry if you felt being offended, didn't think too much when I was busy at typing.

koltl-gold Wed, 11/07/2007 - 06:56

Outbound crypto occurs after NAT (see http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml ). That's why your crypto ACL should be

access-list 193 permit ip host 10.5.125.101 host 10.8.13.113

...

Using NAT pool instead of static NAT is appropiate as long as they don't want to connect back into your network.

Check counters in

sh crypto session det

sh access-list

ammadshah Wed, 11/07/2007 - 22:36

thanks koltl,

this solved the problem. but now i have another issue. i have list of local-network hosts to access remote servers (10.8.13.113, 10.8.1.71, 10.8.72, 10.5.3.102).

some local-net hosts are able to acces remote but some are not.

Success host 10.10.10.63

c:\ping 10.8.1.71

Reply from 10.8.1.71: bytes=32 time=442ms TTL=122

Reply from 10.8.1.71: bytes=32 time=286ms TTL=122

router#debug ip nat

000311: Nov 8 11:22:17.540 PCTime: NAT*: s=10.10.10.63->10.5.125.101, d=10.8.1.71 [11121]

000312: Nov 8 11:22:18.460 PCTime: NAT*: s=10.8.1.71, d=10.5.125.101->10.10.10.63 [22866]

000313: Nov 8 11:22:18.540 PCTime: NAT*: s=10.10.10.63->10.5.125.101, d=10.8.1.71 [11123]

router#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 10.5.125.101 10.5.125.101 --- ---

icmp 10.5.125.101:1 10.10.10.63:1 10.8.1.71:1 10.8.1.71:1

--- 10.5.125.101 10.10.10.63 --- ---

Failure from another host 10.10.10.64

c:\ping 10.8.1.71

Request timed out.

Request timed out.

Request timed out.

Request timed out.

000337: Nov 8 11:34:33.456 PCTime: NAT: expiring 10.5.125.101 (10.10.10.63) icmp 1 (1)ssh-heartbeatssh-heartbeatssh-heartbeat

000338: Nov 8 11:37:02.552 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71

000339: Nov 8 11:37:07.908 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71

000340: Nov 8 11:37:13.412 PCTime: NAT: translation failed (A), dropping packet s=10.10.10.64 d=10.8.1.71

my current configuration is

ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0

ip nat inside source list 101 pool netover

access-list 101 permit ip host 10.10.10.61 host 10.8.13.113

access-list 101 permit ip host 10.10.10.61 host 10.8.1.71

access-list 101 permit ip host 10.10.10.61 host 10.8.1.72

access-list 101 permit ip host 10.10.10.61 host 10.5.3.101

access-list 101 permit ip host 10.10.10.61 host 10.3.22.51

access-list 101 permit ip host 10.10.10.62 host 10.8.13.113

access-list 101 permit ip host 10.10.10.62 host 10.8.1.71

access-list 101 permit ip host 10.10.10.62 host 10.8.1.72

access-list 101 permit ip host 10.10.10.62 host 10.5.3.101

access-list 101 permit ip host 10.10.10.62 host 10.3.22.51

access-list 101 permit ip host 10.10.10.63 host 10.8.13.113

access-list 101 permit ip host 10.10.10.63 host 10.8.1.71

access-list 101 permit ip host 10.10.10.63 host 10.8.1.72

access-list 101 permit ip host 10.10.10.63 host 10.5.3.101

access-list 101 permit ip host 10.10.10.63 host 10.3.22.51

access-list 101 permit ip host 10.10.10.64 host 10.8.13.113

access-list 101 permit ip host 10.10.10.64 host 10.8.1.71

access-list 101 permit ip host 10.10.10.64 host 10.8.1.72

access-list 101 permit ip host 10.10.10.64 host 10.5.3.101

access-list 101 permit ip host 10.10.10.64 host 10.3.22.51

access-list 193 permit ip host 10.5.125.101 host 10.8.1.71

access-list 193 permit ip host 10.5.125.101 host 10.8.1.72

access-list 193 permit ip host 10.5.125.101 host 10.8.13.113

access-list 193 permit ip host 10.5.125.101 host 10.5.3.101

access-list 193 permit ip host 10.5.125.101 host 10.3.22.51

hope you can help me to solve this also

thanks alot

ammadshah Fri, 11/09/2007 - 14:21

my current ios version is

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)

i also applied the command

config)# ip subnet-zero

#clear ip nat trans *

but i am unable to get reply from some of hosts. where as my router displays some NAT translations.

2nd i want to add some important information. that as i changed the following line

ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.255.0

to

ip nat pool netover 10.5.125.101 10.5.125.101 netmask 255.255.0.0

i am able to ping one more host from my lan to remote

i think from your experience and experties i will be able to solve this issue also .

thanks all of you

koltl-gold Sat, 11/10/2007 - 03:21

Append 'extendable' or 'overload' to this command:

ip nat inside source list 101 pool netover

It's a must for PAT.

Peter

Actions

This Discussion