L2L ipsec - segments on both end points are the same

Unanswered Question
Nov 11th, 2009

We need to establish a site to site ipsec vpn tunnel between sites. However there is a major overlap of internal private segments, ie. we both have 192.168.x.x, 10.1.1.0 etc.

how can this be resolved?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Sat, 11/14/2009 - 08:26

That is NOT correct. You need to NAT on both sides. NAT just on one side will NOT work. Let me give you an example:

LAN_A=192.168.1.0/24

LAN_B=192.168.1.0/24

requirements: establish IPSec VPN between LAN_A and LAN_B

As you can see, in this scenario, you need to NAT on both sides, assuming you want bi-directional traffics between LAN_A and LAN_B. Here is how the traffics flow look like:

LAN_A ---> LAN_B: In this scenario, when traffics leaving LAN_A going to LAN_B, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.0.0/24 but you also want to say that the destination to 10.1.1.0/24. Traffics will flow from LAN_A to LAN_B.

When traffics get to LAN_B, LAN_B will see the source of 10.1.0.0/24 for destination of 10.1.1.0/24. At this point, you want to keep the source address of 10.1.0.0/24 but you want to translate the destination of 10.1.1.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.

LAN_B ---> LAN_A:

In this scenario, when traffics leaving LAN_B going to LAN_A, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.1.0/24 but you also want to specifiy the destination to 10.1.0.0/24. Traffics will flow from LAN_B to LAN_A.

When traffics get to LAN_A, LAN_A will see the source of 10.1.1.0/24 for destination of 10.1.0.0/24. At this point, you want to keep the source address of 10.1.1.0/24 but you want to translate the destination of 10.1.0.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.

On LAN_B, it will see the source traffics of 10.1.0.0/24 and on LAN_A, it will see the source traffics as 10.1.1.0/24. That's how you get around overlapping network, by NAT'ing

on both sides.

NAT on Cisco ASA is quite confusing due to the security level on the interface and you have to be extremely careful about this or you will cause an outtage.

Working with NAT like this on Checkpoint firewall, IMHO, is a bit more intuitive because of the UI and object-based firewall.

Hope this will help you resolve your issue. Good luck !!!

Collin Clark Mon, 11/16/2009 - 06:26

Perhaps you should focus on the Checkpoint and Linux forums instead of bashing this one.

mopaul Mon, 11/16/2009 - 19:27

Hi,

Just to add what Collin and cisco24x7 had said, To achieve this we need to do DUAL NAT on ASA(assuming you have ASA/PIX) rather doing just source NAT. Either of the VPN terminating end device can handle NAT which will take care of both Source and Destination NAT for VPN traffic , i.e NAT for the originating traffic and NAT for the decrypted packet resp.

For ASA/PIX on either end of the tunnel , please refer the document below:-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

If you have Cisco routers this might help

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Hope this helps.

Regards

M

Actions

This Discussion