Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Clarification on IPSEC connectivity between 2 sites of Overlapping Subnet

Hi ,

My current setup have two sites consider it as A & B.

A is having Ip range 10.0.0.0/8

B is having Ip range 10.50.0.0/16

My doubt is whether IPSEC can be enabled between these 2 site having overlapping IP address Range , Because as of my knowledge if any packet originating from A let us assume source IP - 10.0.0.5 to dest IP - 10.50.0.10 the packet will not be relayed to B site, since it has matching mask in it.

Pls clarify whether IPSEC can be enabled between these sites, IF so how it will not effect from this overlapping issue.

Else where i have to go for IP schema change in one of the site, but it is difficult because this is well established site.

Thanks for your comments on the same.

3 REPLIES

Re: Clarification on IPSEC connectivity between 2 sites of Overl

Hi,

More specific route still apllies i.e. longer subnet

I don't think your Site A is a single network segment of 10/8 - if it is, then 10.0.0.5 wil not reach 10.50.0.10. When you subnet 10/8 in Site A, do not use 10.50/16 for Site A.

Regards,

Dandy

New Member

Re: Clarification on IPSEC connectivity between 2 sites of Overl

Thanks Dandy,

As per you If i have 10.0.0.0/8 at Site A, then 10.50.0.0/16 must not be at Site B to establish IPSEC connectivity ,,,, am i right ?

If you are agreeing with the above statement then can you tell me the solution for the same without changing the schema at both sides.

Silver

Re: Clarification on IPSEC connectivity between 2 sites of Overl

you need to double NAT on both side.

At site A, you NAT the source of 10.0.0.0/8

to 11.0.0.0/8 and the destination of

172.16.0.0/16

At site B, you do the opposite, you nat the

source of 10.50.0.0/16 to 172.16.0.0/16 and

the destination will be 11.0.0.0/8

Now when the traffics from Site A reach

site B, you keeps the source 11.0.0.0/8

the same but you de-nat the destination

of 172.16.0.0/16 back to 10.50.0.0/16.

The same thing applies to Site A as well.

when source 172.16.0.0/16 get to site A,

you keep the source the same but de-nat

11.0.0.0/8 to 10.0.0/8.

Easy right?

CCIE Security

126
Views
0
Helpful
3
Replies
CreatePlease to create content