VPN with same subnet ranges

Unanswered Question
Feb 9th, 2010


We need to setup a VPN from London to our Milan office, however we have got the same IP ranges each side of the tunnel.  Milan users only need to access London servers, London users do not need to access Milan servers.

Please see the simple attach diagram.  we don't manage the Mialn VPN/Firewall (SonicWall)

What can we do to get round this please.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Andy White Fri, 02/12/2010 - 01:50

Hi Collin,

It's probably my bad network drawing skills, London is an ASA and Milan is a SonicWall.  The SonicWall is not managed by me, and the people in Milan don't know how to use so they  have to get someone in costing money.  Is there any way I can control this all from my ASA? They (only 5 users) only need to access servers on the inside of my ASA in London.

I was theory thinking, if we created a VPN from London to Milan where the SA's were 2 different subnets we don't use that way the phase 1 and phase 2 will be complete, then we have to then fix the NAT or PAT?

e.g The subnets that clash are all on the 192.168.x.x/24 range (some clash some don'y - messy), so the SA's could be:

Milan  -

London -

I'm thinking if Milan only need to come inbound to London, and they need to get to a server in London on IP (actual IP) then I could tell Milan it's on so the traffic comes over the VPN to London which see a request for which NAT's to

Apologies if I'm sounding basic

Collin Clark Fri, 02/12/2010 - 09:10

I may be off here , but your theory is exactly what you want to do, but you really only do it on one side. Unfortunately there is a caveat in this scenario (at least with Cisco equipment). The tunnel can only be established from one side. By that I mean Milan can send interesting traffic to London and the tunnel will be built. If the tunnel is down and London wants to connect to Milan, the tunnel will never be built. This doesn't fit well since you have no control over Milan and it's a Sonicwall. Would it be easier/cheaper to re-address Milan?

Andy White Sat, 02/13/2010 - 08:18

I see what you mean. They (Milan) will be adding a couple of

our routers to their icmp polling servers to check the VPN is up, this should help I guess in the short term.?


This Discussion