Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hub and Spoke VPN

I need to implement 3 VPN tunnels back to my office. My main problem is two of the sites are using same IP schema.

My office is 192.168.240.x /24

Site 1 is 10.1.1.x /24

Site 2 is 172.16.1.x /24

Site 3 is 10.1.1.x /24

I know how to create a vpn tunnel to Site 1 and 2. But I am not sure how to add Site 3 into the picture.

I also need to make sure that no one can ride my vpn tunnel from site one site to another site.

Any and all help is greatly appreciated.

Thanks a million in advance.

-Rajeev

9 REPLIES
New Member

Re: Hub and Spoke VPN

Easiest and best plan in the long run is to change one of the site's Network ranges, or split them in half (site 1 uses 10.1.1.0/25 and site 3 uses 10.1.1.128/25.

Otherwise you'd have to set up some sort of bridging rather than routing between the sites, which increases the broadcast domain to travel over the WAN. This is undesirable at best.

New Member

Re: Hub and Spoke VPN

I will not be able to change the IP address at any site because they are separate clients, and are in full production.

New Member

Re: Hub and Spoke VPN

Rajeev ca you please tell us what VPN device you are using VPN Concentrator or Pix Firewall

Hall of Fame Super Silver

Re: Hub and Spoke VPN

Rajeev

I agree that it will be helpful to know what kind of devices you are working with. Some of the alternatives would depend on which platform you are using.

I assume that the addresses you have given are the inside addresses of the remotes. What are the outside addresses? Are the remote sites doing any address translation? It seems to me that if site 1 and site 3 are using the same addressing scheme for their inside networks, that your solution will be to do some kind of address translation for one of the sites as it enters the central network.

The alternatives for preventing one remote site from communicating with another remote site will depend on what platform is being used for VPN.

HTH

Rick

New Member

Re: Hub and Spoke VPN

All the clients have real IP address on the outside interfaces... they are doing some NAT on web servers.

Thanks for all the help...

Hall of Fame Super Silver

Re: Hub and Spoke VPN

Rajeev

So long as each client has a unique (real) IP address on the outside interface then setting up IPSec can be done without much difficulty. You peer to the unique IP address.

What will make implementing this difficult is a routing issue. If you have a packet with destination address 10.1.1.4 which VPN tunnel should it go through? I do not know of a way to solve this other than through some Network Address translation. I think that the optimum solution would be to get one of the clients to translate addresses on traffic that they send to you.

HTH

Rick

New Member

Re: Hub and Spoke VPN

Site 1 and 3 has a PIX 515E 6.3

Site 2 has a Cisco 871 12...

In my office I have a PIX 515E 6.3

New Member

Re: Hub and Spoke VPN

You really will have to seriously consider assisting one site in changing their network's address ranges.

Until that occurs you could use some sort of 1-1 NAT strategy on one of the sites, but you'll have to setup maps for EACH and EVERY machine, and you'll have to do them all statically, if you want to be able to reliably get to certain machines--no using a pool of 255 addresses mapping to the network segment.

I'd implement this on one site, and look at migrating them over. If they're using DHCP it's not super difficult, just set up the new range one night, and switch it over. In the morning they all change. Then you can take care of any servers. Of course if they have any programs, or scripts with IPs defined rather than DNS names, it might be a bit more work, but really an unavoidable result of tying disparate networks together.

Gold

Re: Hub and Spoke VPN

you can install another router on site1 or site3 to do another nat.

e.g.

from site1 lan <--> pix515e <--> vpn/www <--> your office

to site1 lan <--> router <--> pix515e <--> vpn/www <--> your office

the router can nat the original 10.1.1.x to 10.1.2.x, so from your office point of view, the remote peer net is 10.1.2.x not 10.1.1.x. also you don't have to change the site1 net scheme.

127
Views
4
Helpful
9
Replies