Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec VPN with overlapping Network

Hi

I am trying to make the site to site VPN b/w two sites but both sites are having 192.168.10.x/24 on both sites.

I want Site A to access the Site B network (192.168.10.x)  on 192.168.73.x

Site B access the Site A network on on real IP addess as actual LAN 192.168.80.0, 192.168.200,0 and 192.168.10.0

Site B will use 192.168.73.x when they want to access Site A subnets

Configuration for Site A is mention below

access-list acl-htts extended permit ip 192.168.80.64 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.80.89 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.80.62 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.210.125 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.200.86 255.255.255.255 192.168.73.0 255.255.255.0

static (inside,outside) 192.168.73.0 access-list acl-99

access-list acl-99 extended permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list acl-99 extended permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list acl-99 extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0

static (outside,inside) 192.168.73.0 192.168.10.0

Please let me know if the above configuration will work for me. I am confuse about the static configuration. Please assist

5 REPLIES
Super Bronze

Re: IPsec VPN with overlapping Network

Hi,

The above configurations don't really match what you are describing before them. Also I think you need to NAT both sites source network since even though Site A might be connecting to another network (192.168.73.0/24) the Site B would still be seeing connections coming from network 192.168.10.0/24 on its outside interface while it has the same network on its inside.

I might have totally missunderstood the original post though

Lets look through all the information needed for the L2L VPN

Site A network(s):

  • 192.168.10.0/24 ( NAT 192.168.20.0/24 for example)
  • 192.168.80.0/24
  • 192.168.200.0/24

Site B  network(s):

  • 192.168.10.0/24 (NAT 192.168.73.0/24)

The L2L VPN encryption domain / interesting ACL and NAT configuraitons would be looking something like this

SiteA

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.20.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-VPN-NONAT remark NO NAT for the below networks

access-list SITE-A-VPN-NONAT permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-VPN-NONAT permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

nat (inside) 0 access-list SITE-A-VPN-NONAT

access-list SITE-A-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0

static (inside,outside) 192.168.20.0 access-list SITE-A-VPN-POLICYNAT

The above configuration should do the following for SITE A

  • First ACL will define the source and destination networks for the L2L VPN connection. 2 of your local network will not be natted and show with their original addresses. The overlapping network 192.168.10.0/24 will be showing from a NATed network 192.168.20.0/24. Also the destination network is the network 192.168.73.0/24 which is NATed at SITE B device.
  • Second ACL and the nat (inside) 0 statements configure that your non-overlapping networks will be visible to the SITE B with their original addresses
  • Third ACL and static statement configure that your local overlapping network 192.168.10.0/24 will be showing with NAT network 192.168.20.0/24 to SITE B when its connecting to the remote network of 192.168.73.0/24

SiteB

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.73.0 access-list SITE-B-VPN-POLICYNAT

The above configuration should do the following for SITE B

  • First ACL will define the source and destination networks for the L2L VPN connection.Your source network will be the NATed network 192.168.73.0/24 of the real network 192.168.10.0/24. The destination networks will be SITE As NATed network 192.168.20.0/24 of their local network 192.168.10.0/24 and the NoNAT networks of 192.168.80.0/24 and 192.168.200.0/24
  • Second ACL and NAT statement tell that when SITE B local network 192.168.10.0/24 is connecting to any of the SITE A networks it will be NATed to the network 192.168.73.0/24

Hope I didnt mess up any configurations

Please rate if it was of any help

Ask more if something need clarification

- Jouni

New Member

IPsec VPN with overlapping Network

Hi,

Thanks for the detail reply but I dont have any administrative control for the Site B network. I am only managing Site A network which has the LAN IP address

192.168.80.0

192.168.200.0

192.168.10.0

I want to give my all users 192.168.73.0 network as remote Site B network (which is 192.168.10.x).

All the traffic from my LAN should appear at the Site B network as coming from 192.168.73.x source.

All configuration I need only my firewall. When traffic from Site B comes to my firewall it should translate 192.168.10.0 network of Site B into 192.168.73.x.

How i can achieve this without doing NAT on the Site B network.

Super Bronze

IPsec VPN with overlapping Network

Hmm,

So you want to NAT overlapping networks and in the process overlap them again?

New Member

IPsec VPN with overlapping Network

Yes, because I dont want to do the extra configuration on the Site B network because I dont have any control over their.

I want to do all the configuration for the overlapping network etc on my side and let the site B configure the standardard VPN configuration.

Super Bronze

IPsec VPN with overlapping Network

Hi,

To be honest I cant see how this would work when you consider that you would tell the VPN device that the source and destination network are both the same for both sites.

Or I just have missunderstood this thing completely.

Though I've got to say that all these NAT and VPN configurations are the easiest when both endpoints handle their NAT configurations seperately. So if its in any way possible I suggest you get someone to handle the configurations on the other end so that you dont have to deal with the situation alone.

602
Views
2
Helpful
5
Replies