11-11-2009 07:06 AM - edited 02-21-2020 04:22 PM
We need to establish a site to site ipsec vpn tunnel between sites. However there is a major overlap of internal private segments, ie. we both have 192.168.x.x, 10.1.1.0 etc.
how can this be resolved?
11-11-2009 07:25 AM
You'll have to NAT one side. Check the Information paragraph for some important restrictions.
Hope that helps.
11-14-2009 08:26 AM
That is NOT correct. You need to NAT on both sides. NAT just on one side will NOT work. Let me give you an example:
LAN_A=192.168.1.0/24
LAN_B=192.168.1.0/24
requirements: establish IPSec VPN between LAN_A and LAN_B
As you can see, in this scenario, you need to NAT on both sides, assuming you want bi-directional traffics between LAN_A and LAN_B. Here is how the traffics flow look like:
LAN_A ---> LAN_B: In this scenario, when traffics leaving LAN_A going to LAN_B, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.0.0/24 but you also want to say that the destination to 10.1.1.0/24. Traffics will flow from LAN_A to LAN_B.
When traffics get to LAN_B, LAN_B will see the source of 10.1.0.0/24 for destination of 10.1.1.0/24. At this point, you want to keep the source address of 10.1.0.0/24 but you want to translate the destination of 10.1.1.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.
LAN_B ---> LAN_A:
In this scenario, when traffics leaving LAN_B going to LAN_A, you want to NAT the source of LAN_A from 192.168.1.0/24 to 10.1.1.0/24 but you also want to specifiy the destination to 10.1.0.0/24. Traffics will flow from LAN_B to LAN_A.
When traffics get to LAN_A, LAN_A will see the source of 10.1.1.0/24 for destination of 10.1.0.0/24. At this point, you want to keep the source address of 10.1.1.0/24 but you want to translate the destination of 10.1.0.0/24 back to 192.168.1.0/24. Traffics get to the destination of 192.168.1.0/24 without any issues.
On LAN_B, it will see the source traffics of 10.1.0.0/24 and on LAN_A, it will see the source traffics as 10.1.1.0/24. That's how you get around overlapping network, by NAT'ing
on both sides.
NAT on Cisco ASA is quite confusing due to the security level on the interface and you have to be extremely careful about this or you will cause an outtage.
Working with NAT like this on Checkpoint firewall, IMHO, is a bit more intuitive because of the UI and object-based firewall.
Hope this will help you resolve your issue. Good luck !!!
11-16-2009 06:26 AM
Perhaps you should focus on the Checkpoint and Linux forums instead of bashing this one.
11-16-2009 07:27 PM
Hi,
Just to add what Collin and cisco24x7 had said, To achieve this we need to do DUAL NAT on ASA(assuming you have ASA/PIX) rather doing just source NAT. Either of the VPN terminating end device can handle NAT which will take care of both Source and Destination NAT for VPN traffic , i.e NAT for the originating traffic and NAT for the decrypted packet resp.
For ASA/PIX on either end of the tunnel , please refer the document below:-
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
If you have Cisco routers this might help
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Hope this helps.
Regards
M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide