02-29-2008 10:52 PM
Hi ,
My current setup have two sites consider it as A & B.
A is having Ip range 10.0.0.0/8
B is having Ip range 10.50.0.0/16
My doubt is whether IPSEC can be enabled between these 2 site having overlapping IP address Range , Because as of my knowledge if any packet originating from A let us assume source IP - 10.0.0.5 to dest IP - 10.50.0.10 the packet will not be relayed to B site, since it has matching mask in it.
Pls clarify whether IPSEC can be enabled between these sites, IF so how it will not effect from this overlapping issue.
Else where i have to go for IP schema change in one of the site, but it is difficult because this is well established site.
Thanks for your comments on the same.
03-01-2008 03:29 AM
Hi,
More specific route still apllies i.e. longer subnet
I don't think your Site A is a single network segment of 10/8 - if it is, then 10.0.0.5 wil not reach 10.50.0.10. When you subnet 10/8 in Site A, do not use 10.50/16 for Site A.
Regards,
Dandy
03-01-2008 09:39 AM
Thanks Dandy,
As per you If i have 10.0.0.0/8 at Site A, then 10.50.0.0/16 must not be at Site B to establish IPSEC connectivity ,,,, am i right ?
If you are agreeing with the above statement then can you tell me the solution for the same without changing the schema at both sides.
03-08-2008 06:53 PM
you need to double NAT on both side.
At site A, you NAT the source of 10.0.0.0/8
to 11.0.0.0/8 and the destination of
172.16.0.0/16
At site B, you do the opposite, you nat the
source of 10.50.0.0/16 to 172.16.0.0/16 and
the destination will be 11.0.0.0/8
Now when the traffics from Site A reach
site B, you keeps the source 11.0.0.0/8
the same but you de-nat the destination
of 172.16.0.0/16 back to 10.50.0.0/16.
The same thing applies to Site A as well.
when source 172.16.0.0/16 get to site A,
you keep the source the same but de-nat
11.0.0.0/8 to 10.0.0/8.
Easy right?
CCIE Security
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: