VPN L2L Cisco-Watchguard on the same subnet

Unanswered Question
Mar 15th, 2010

Hello,

I have a problem with a VPN Lan-to-Lan between a Cisco 850 (12.4) and a Watchguard (11.1). I need to NAT the two private addresses because, on the Watchguard side, the Cisco subnet is already used. I have no problem to create the VPN tunnel and I see it up and running on the two devices but I cannot browse the LAN.

Some informations:

LAN1 = Cisco

LAN1 private address = 192.168.1.0/24

LAN1 nat = 192.168.3.0/24

LAN1 public address = 88.40.abc.def

LAN2 = Watchguard
LAN2 private address = 192.168.0.0/24
LAN2 nat = 192.168.4.0/24
LAN2 public address = 88.57.ghi.jkl

This is the Cisco configuration for the VPN:

crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXX address 88.57.ghi.jkl
crypto isakmp keepalive 20 5
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set LAN2LANSET esp-3des esp-sha-hmac
!
crypto map LANTOLANMAP 20 ipsec-isakmp
set peer 88.57.ghi.jkl
set transform-set LAN2LANSET
match address 120
!
no ip source-route
no ip gratuitous-arps
!
ip cef
no ip domain lookup
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 88.40.abc.def 255.255.255.248
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
  encapsulation aal5snap
!
crypto map LANTOLANMAP
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip nat inside source route-map NONAT interface ATM0.1 overload
!
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
route-map NONAT permit 10
match ip address 110

With this configuration I can browse the internet but NOT the VPN tunnel (because, I suppose, there is no NAT). If I add this:

ip nat inside source static network 192.168.1.0 192.168.3.0 /24 no-alias

I can browse the tunnel but not the internet (because, I think, I redirect all the traffic through the tunnel). Is there a way to solve this situation? For the record, I cannot buy other hardware or change the two subnet addresses.

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion