Nat'g with site-to-site Tunnels on IOS routers with overlapping private ip

Unanswered Question
Feb 1st, 2008

I am trying to nat with site-to-site Tunnels on IOS routers with overlapping private ip addresses. On the PIX/ASA it is rather easy.

static (Inside,Outside) 10.99.0.0 access-list 102

access-list 102 extended permit ip 10.1.0.0 255.255.0.0 host (public ip of other end of tunnel)

Your tunnel configuration is a given on both.

I have tried a command I found in a book trying with a route-map but does not work. 'ip nat inside source static 192.168.1.0 255.255.255.0 10.99.1.0 255.255.255.0 route-map AGVsoft no-alias

'

and then the route-map. The routers are running advanced ip services, one is a 2811(12.4.11T) and the other is a 871(12.4.4T).

I have been unable to find a solution on the net/Cisco anywhere other than the Cisco Security Manager.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Fri, 02/01/2008 - 13:26

I am not very clear on what you are wanting.

Are you saying you are setting up a VPN to another site that has overlapping IP's?

If that is the case then you or the other end will have to NAT to an IP block you agree upon or force them to NAT to their public ip since all public space is unique to each site.

One thing I have done is for cases where the client would not use public, I had 2 IP ranges set up specifically for client NAT. I would assign them a pool of IP's just like an ISP and have them NAT to the IP block assigned.

For example:

Client A Has 10.50.0.0/16

This IP blockis being used on your network already.

I would assign them a block 10.199.0.0/29 or whatever size they needed, and they would need to set up NAT. Then when building the ACL for traffic to that client you use the block assigned.

Actions

This Discussion