overlapping network address in two PIXs for VPN connection

richard268 · ‎02-14-2003

The PIX in central office A is using 10.1.1.0/24 with NAT global address 209.*.*.*(the pix outside IP address is also in this range) . It has three connections to branch office B, C, D.

the pix in branch B is using 10.2.1.0, and the pix in branch C is using 10.3.1.0, and they are communication with Central office A over VPN tunnel with No NAT translation. They are working fine.

The problem is that the new brach office D is using the same IP address range 10.1.1.0/24 with NAT global IP address 63.*.*.*. (the PIX outside IP address is also in this range). So central office A and branch office D has overlapping IP addresses.

According to Cisco recommodation, both 10.1.1.0 in office A and D should be NAT-translated to see each other using different IP address. But some Hosts in both office A and D has been NAT-translated to global IP address individually. It will have overlapping IP addresses if we translate 10.1.1.0 in office A to 10.221.1.0 and in office D to 10.222.1.0. (since some host in both internal network 10.1.1.0 have been translated already)

What is the solution?

Any input would be greatly appreciated.

Thanks very much.

Cheers

Richard

ssoberlik · ‎02-20-2003

Recent versions of PIX OS support something called 'Bi NAT'. In a nutshell, what is done is to translate overlapping addresses to non-overlapping address spaces. The next step would be to do manually reconstruct the static translations on both ends. More information is available at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml. The only other way out seems to be to start re-addressing all devices on one of the sites.