New VPN has the same IP subnet range as another, NAT?

Unanswered Question
Mar 13th, 2010
User Badges:

Hello,


I am using a ASA 5520, I have a VPN setup already to a remote office using subnet 172.16.x.x/16 and it all works well and I don't want to change this.  Now I need to setup another VPN to another office which is also using 172.16.x.x/16.  This new office need to connect to servers where I'm based (where the ASA is).


How can I get round this?


Would I create a VPN using an IP range that isn't used anywhere else for this regional office?


HQ (me) - 192.168.21.x/24

Remote site - 192.168.31.x/24


That way phase 2 will come up although nothing would work.


Now would I need to NAT and where?  The remote site that is on 172.16.x.x (now on 192.168.31.x) needs to connect to about 10 servers on 192.168.21.x/24


I've never done NAT before and it sounds difficult.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 03/13/2010 - 09:31
User Badges:
  • Green, 3000 points or more

Hi,


If you have overlapping addresses on both sides of the tunnel, then you should NAT the traffic.


For example:


Private network Site A:

10.1.1.0/24

Private network Site B:

10.1.1.0/24


Site A NAT config:

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT_VPN


Site B NAT config:

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT_VPN


In this way, you're translating Site A to 192.168.1.0 and Site B to 192.168.2.0 when communicating between them.


Then, the VPN traffic should flow between the 192.168.x.0 networks without the overlapping problem.

This is called Policy NAT.


Federico.

Andy White Sat, 03/13/2010 - 12:21
User Badges:

Thanks, but how will for example Site B know which server to connect to in Site A as this policy is dynamic?  For example if Site B needs to connect to an email server in Site A?

busterswt Sat, 03/13/2010 - 19:59
User Badges:
  • Bronze, 100 points or more

Hi Andy,


In the above example, and likely your situation, it becomes a 1-to-1 translation:



Private network Site A:

10.1.1.0/24 == 192.168.1.0/24

Private network Site B:

10.1.1.0/24 == 192.168.2.0/24


Site A NAT config:

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT_VPN


Site B NAT config:

access-list NAT_VPN permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT_VPN


When a PC at Site B (ie. 10.1.1.201) wants to talk to a mail server at Site A (ie. 10.1.1.31), it would send its request to 192.168.1.31. Notice that network defined in the encryption domain of site B's firewall. Site B NAT's the src address from 10.1.1.201 to 192.168.2.201.


The server at Site A would see this request coming from 192.168.2.201. Site A's firewall would then NAT the response by changing the src IP from 10.1.1.31 to 192.168.1.31, and the cycle continues.


As far as I know, the policy nat translation needs to be at the *top* of the list of static translations. You may need to remove all other statics, add the policy nat static, and then add them back in.


Good luck!

Andy White Sat, 03/13/2010 - 23:05
User Badges:

Thanks,


I have just found out we won't be installing a Cisco firewall but using an existing hosted firewall which is a Microsoft ISA 2004 firewall!


What options do I have?  I doubt it can do dynamic nat's, if this all to become staic natting what would be CIsco config look like?


At least I can prephare my ASA then the hosting company can do their part.

Actions

This Discussion