Problem witn site-site VPN having same subnets

Unanswered Question
Feb 15th, 2010

Hi,

Can somebody help me in configuring Site-site VPN having same subnets.

Example.

Site A: LAN network 192.168.1.0

Site B: LAN network 192.168.1.0

How do i go about it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/15/2010 - 05:15

mohaneternal wrote:

Hi,

Can somebody help me in configuring Site-site VPN having same subnets.

Example.

Site A: LAN network 192.168.1.0

Site B: LAN network 192.168.1.0

How do i go about it?

Mohan

You don't say what type of device you are using but here is a link to a config doc for a site-to-site VPN with overlapping subnets on 2 routers -

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

If the devices are pix/ASA firewalls then you will need to modify the commands but the principles are the same.

Jon

mohaneternal Mon, 02/15/2010 - 16:57

Hi MAK,

Thank you for the response...

I use ASA on both the sites so as per your response, you mean to say i should not use NO NAT for one end of the ASA?

Reagards,

Mohan

mohaneternal Mon, 02/15/2010 - 16:59

Hi Jon,

I am using a PIX in my case. Can you let me know a link for the configuring in PIX or example config..?

Reg,

Mon

jason.espino Mon, 02/15/2010 - 21:49
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hello Mohan,


When attempting to build a site-to-site tunnel where the local and remote networks are the same, setting up No-NAT on one side will not work.  What will happen is the side that has been setup with No-NAT will be unable to respond and initiate traffic to the remote private network.  The local firewall will treat that request as a local request and broadcast the request for that private IP address within its own LAN, that request will never leave the firewall.  To bypass this you can setup No-NAT on BOTH sides or you can setup Policy-NAT on BOTH ends to masquerade the networks and make them appear as completely different private networks to both firewalls.


Example.


Site  A: LAN network 192.168.1.0


Site B: LAN network 192.168.1.0


PIX(A)


Policy-NAT ACL:


access-list policy-nat permit ip 192.168.1.0 255.255.255.0 172.16.16.0 255.255.255.0


Static:


static (inside,outside) 172.16.15.0 access-list policy-nat

 

Crypto ACL:

access-list 200 permit ip 172.16.15.0 255.255.255.0 172.16.16.0 255.255.255.0 




PIX(B)


Policy-NAT ACL:


access-list policy-nat permit ip 192.168.1.0 255.255.255.0  172.16.15.0 255.255.255.0


Static:


static (inside,outside) 172.16.16.0 access-list policy-nat

 

Crypto ACL:


access-list 201 permit ip 172.16.16.0 255.255.255.0 172.16.15.0  255.255.255.0



With the above policy-nat example/configuration PIX(A) will appear as the 172.16.15.0/24 network when communicating through the tunnel to PIX(B).  PIX(B) will appear as the 172.16.16.0/24 network when communicating to the remote hosts on PIX(A) through the VPN tunnel.  Notice there is no NAT exempt rule configured as you would want for this particular VPN traffic to participate in NAT. Also, it would be best to place the policy-nat static statements above the normal static translations as you would not want to have an xlate entry referencing a host address to take precedence over the policy-nat static statement.

The other alternative is to setup both ends as a public-to-public L2L VPN.


Hope this info helps!


- Jason Espino

mohaneternal Mon, 02/15/2010 - 23:38

Hi Jason,

Thats a awesome explaination. Thank you very much. I will try out this.

I have a question.. assuming this requirement below

* If in site B, there is a ftp server with IP address of 192.168.1.100, there is a request to this FTP server from site A(192.168.1.5), how ASA decides that the request is for server which is in Site B. And what if there is a host in Site A with the same IP address 192.168.1.100.

Reg,

Mon

jason.espino Tue, 02/16/2010 - 08:53

Hello Mohan,


With the Policy-NAT example configuration I have provided when hosts on the PIX(A) side attempt to establish a connection to any hosts on the PIX(B) side through the VPN you would need to connect to them using the 172.16.16.X IP address.  Same goes for the hosts on the PIX(B) side if they want to establish a connection to a host on the PIX(A) side through the VPN they will need to connect to the 172.16.15.X IP address of the hosts.



To answer your question with the example you provided:


* If in site B, there is a ftp server with IP address of 192.168.1.100, there is a request to this FTP server from site A 192.168.1.5, how ASA decides that the request is for server which is in Site B. And what if there is a host in Site A with the same IP address 192.168.1.100.




When communicating through this VPN Site B's FTP server's IP address would be - 172.16.16.100


When communicating through this VPN Site A's host address would be - 172.16.15.5



Please keep in mind with the Policy-NAT configuration I have provided when attempting to communicate to a host on either side you would need to use the "masqueraded" IP address rather then the true 192.168.1.X IP address.  IF there is a host on either side with the same IP address 192.168.1.100 then that would be perfectly fine.  If you wanted to establish a connection to Site A's 192.168.1.100 host through the VPN then you would connect to 172.16.15.100; whereas if you wanted to establish a connection to the FTP server on Site B you would connect to it using the 172.16.16.100 IP address instead of using the 192.168.1.100 IP.  With Policy-NAT there would be no issue with hosts on either side that use the same IP address as they are setup to "appear" as a different network through the VPN for communication.


I hope my explanation answers your question. Ratings are appreciated.


- Jason Espino

Actions

This Discussion