Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

Overlapping address spaces and VPN

I'm trying to get setup a VPN to allow a business-parter access to our network. The problem is that the partner use the same private address space as we do.

I'm trying to figure out how to translate NAT their internal address to a different address as the packets come out of the VPN tunnel.

There is a Visio Doc attached that shows "US" and THEM. The "THEM" side does not use real IPs, I made this drawing because I'm getting an example set up in a Lab environment, so I picked random numbers for the "THEM" Ips.

The PC(s) from the partner need access to two PCs on my side. I got it working to the point that the VPN tunnel comes up between the two PIX501s, and translated the destination IP into a private IP, but need help translating the remote source IPs into private IPs.

Here's some output from the PIX on the "US" (My side).

Inbound ICMP echo request (len 32 id 2 seq 44033) 10.150.100.100 > 216.x.x.x > 10.220.2.10

The source of the packet is sent to the 216.x.x.x address then translated to its real internal address of 10.220.2.10. I need to translate the 10.150.100.100 address to somthing else, so it doesnt mess up my network. Ideas? I'm a PIX n00b. Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Overlapping address spaces and VPN

Hi

Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10

static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255

If you need to do a pool of source addresses you could do

nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10

HTH

Jon

3 REPLIES
Hall of Fame Super Blue

Re: Overlapping address spaces and VPN

Hi

Sorry i dont have Visio on my home PC but if you want to translate the source IP address of the incoming packets eg. translate 10.150.100.100 to 192.168.5.10

static (outside,inside) 192.168.5.10 10.150.100.100 netmask 255.255.255.255

If you need to do a pool of source addresses you could do

nat (outside) 3 10.150.100.0 255.255.255.0 outside

global (inside) 3 192.168.5.10

HTH

Jon

Community Member

Re: Overlapping address spaces and VPN

In my configuration, I tried

static (outside,inside) 192.168.16.90 10.18 netmask 255.255.255.255

which landed me with the following xlate:

Global 192.168.16.90 Local 10.0.0.18

At this point, my colleague at 10.18 lost all connectivity. No more internet... :)

How do you make the translation less intrusive?

Bronze

Re: Overlapping address spaces and VPN

I'm not too sure how NAT statements are handled, but would it work to do the following:

global (inside) 3 192.168.4.10-192.168.4.15 netmask 255.255.255.0

nat(outside) 3 10.150.0.0 255.255.255.0 outside //Translates 10.150.0.0 comming through VPN tunnel to the range 192.168.4.10-15

nat(outside) 0 0.0.0.0 0.0.0.0 0 0 //Skips the translate on anything else.

226
Views
0
Helpful
3
Replies
CreatePlease to create content