Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
4
Replies

Urgent: NAT

giaaaj
Level 1
Level 1

‎07-19-2007 10:40 AM

Hi,

I have a router in the center and have 10 Remote-sites that use the same subnet

Remote-site 1 : Subnet 192.168.1.0/24

Remote-site 2 : Subnet 192.168.1.0/24

Remote-site 3 : Subnet 192.168.1.0/24

and so on

Ist there any way to connect to these subnets at the same time from the same router using VPN Tunnels ?.

Labels:
0 Helpful
4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

‎07-19-2007 01:44 PM

You would need to run NAT at each of the remote sites. That would prevent you having connectivity between remote sites, so I suggest you renumber them to have different subnets, and configure NAT to access the Internet at central site only.

Hope this helps, please rate post if it does!

0 Helpful

giaaaj
Level 1
Level 1
In response to paolo bevilacqua

‎07-19-2007 01:53 PM

Thanks for replaying paolo,

The installations at the remote site can not be changed. What about if i use different ipsec virtual interfaces ( a Virtual interface for each connection ) and do route-map based NAT . Will this work?

Thx

Ali

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to giaaaj

‎07-19-2007 02:35 PM

Honestly I don't see how that would work. It has been a bad design in first place to give the same address to all the locations if these were meant to communicate.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to giaaaj

‎07-19-2007 06:46 PM

Hi

As Paolo says it's not a good design to have the same subnet at each location but i think the answer to your question is yes it can be done but it's messy.

For each remote subnet you need to NAT this to some other unique subnet range eg.

Remote site 1 192.168.1.0/24 -> 172.16.1.0/24

Remote site 2 192.168.2.0/24 -> 172.16.2.0/24

etc.

The NAT translations will have to be done on each remote site router.

Then you create your VPN tunnels based on the translated addresses.

From the HQ site to talk to 192.168.1.10 at site 1 you would use the address 172.16.1.10.

To talk to 192.168.1.10 at site 2 you would use the address 172.16.2.10.

The spokes could also talk to each other with thus ie.

site 1 192.168.1.10 talks to site 2 192.168.1.10

becomes

site 1 172.16.1.10 talks to site 2 172.16.2.10

This will work but as i say it is very messy and NAT can and does break certain applications.

I appreciate what you say about not being able to change addresses but the amount of extra configuration and complexity needed to make this work would make readdressing the far simpler option.

HTH

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents