Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
215
Views
0
Helpful
3
Replies

IPSEC VPN Address Overlap without translation?

Go to solution
EpidemicPC
Level 1
Level 1

‎04-06-2015 05:01 PM - edited ‎03-07-2019 11:25 PM

I am wondering if it's possible to have an ipsec vpn between 2 subnets that are the same WITHOUT translating them.

 

eg: in configurations and normal circumstances, if site 1 = 192.168.1.0 and site 2 = 192.168.1.0, a translation occurs in between both vpn devices that says "hey private 192.168.1.0 = 1.1.1.1 once it leaves out the private interface" and the other says "hey private 192.168.1.0  = 2.2.2.2 once it leaves out the private interface" then those 2 new spaces can talk (1.1.1.1 & 2.2.2.2)

the problem is I have special equipment that run on a t1 which allows for 192.168.1.0 on both sides of the t1, and both sides are 192.168.1.0.  If I change site 2  (which is last case scenario) to another address space, then I would have to change all the equipment to a new address space on site 2 while changing site 1 to look at the new addresses. I am trying avoid this. Is it possible?

 

I know it sounds weird but maybe I was thinking there's a way to do static. Say on Site 1 you say "192.168.1.2 is on the other side of the vpn. when you see 192.168.1.2 know to go over vpn" although site 1 itself is 192.168.1.0 .

 

is that possible? thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to EpidemicPC

‎04-07-2015 09:29 AM

Generally speaking no it won't work because at each site all 192.168.1.x clients think every other 192.168.1.x client is local and so never send traffic to their default gateway ie. the VPN device.

If the two devices that needed to communicate were using different IPs (even though it's the same IP subnet) you could potentially add host routes to the clients route table pointing to the VPN device and then each VPN device has a host specific route for that IP pointing to the outside IP but that would mean two things -

1) the client in a site could not talk to another client in the same site with that IP because you are routing it to the VPN device

and

2) the VPN device couldn't talk to that client either because you have told it to route traffic for that IP via the VPN tunnel.

But to be totally honest I am not convinced this would work.

Basically you either need to readdress or do NAT, it would be a lot less hassle and would actually work.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-07-2015 06:09 AM

the problem is I have special equipment that run on a t1 which allows for 192.168.1.0 on both sides of the t1, and both sides are 192.168.1.0.

Can you clarify what you mean by the above ie. what is special about it.

From your description it sounds like just a L3 connection between two routers and you are using the same IP subnet in two sites and these sites currently don't talk to each other.

Or are you saying they can talk to each other ie. that is what is special ?

Are you asking about a L2L VPN between two routers or firewalls ?

Jon

 

0 Helpful

Go to solution
EpidemicPC
Level 1
Level 1
In response to Jon Marshall

‎04-07-2015 09:19 AM

I do currently have internet. I'm asking about ipsec vpn between 2 devices (say 5505 and vpn concentrator) and both devices private spaces are 192.168. 1. 0 (address overlap) And NOT translate to different subnet

 

Like this:

 

(192.168.1.254 private) -> (asa) 1.1.1.1 public -> internet <- 2.2.2.2 public (concentrator) <- (192.168.1.1 private)

 

And not change or use any address translation . So both private spaces stay 192.168.1.1 across an ipsec vpn. perhaps static mapping ?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to EpidemicPC

‎04-07-2015 09:29 AM

Generally speaking no it won't work because at each site all 192.168.1.x clients think every other 192.168.1.x client is local and so never send traffic to their default gateway ie. the VPN device.

If the two devices that needed to communicate were using different IPs (even though it's the same IP subnet) you could potentially add host routes to the clients route table pointing to the VPN device and then each VPN device has a host specific route for that IP pointing to the outside IP but that would mean two things -

1) the client in a site could not talk to another client in the same site with that IP because you are routing it to the VPN device

and

2) the VPN device couldn't talk to that client either because you have told it to route traffic for that IP via the VPN tunnel.

But to be totally honest I am not convinced this would work.

Basically you either need to readdress or do NAT, it would be a lot less hassle and would actually work.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card