cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1084
Views
0
Helpful
5
Replies

Multiple VPN tunnels to Data Center with overlapping networks

William Reed
Level 1
Level 1

Hello guys,

We are beginning to host applications for clients that need Windows trusts(maybe?) and full IP access to a Class C subnet in our data center.

My problem is most of our clients are small mom and pop shops IPed to 192.168.1.x. I plan to install my own Cisco ASA in each of these sites and create a VPN back to the data center for access to the application. The last 2 sites I did, I re-IPed the network to a scheme of mine. I am beginning to run into though clients that we simply host the app for and I cannot really make them Re-IP their network if they do not want to.

 

My question is what are my options here? I assume some type of NAT, but I am not really sure how that would work. With a Windows trust the communication needs to be 2-way. If we didn't have the trusts I could see this working no problem with a simple NAT right? What firewall would you guys do the NAT on? The remote end or Data Center?

Any help and guidance is appreciated.

I am a complete Cisco network, ASAs, Catalysts, Routers, etc.....

1 Accepted Solution

Accepted Solutions

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Billy,

Basically, for overlapping networks, you will perform natting on both sites for the interesting traffic.
If you have overlapping networks, you can follow this link if you are using Cisco ASAs and this link for Cisco routers as VPN termination devices.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Billy,

Basically, for overlapping networks, you will perform natting on both sites for the interesting traffic.
If you have overlapping networks, you can follow this link if you are using Cisco ASAs and this link for Cisco routers as VPN termination devices.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thank you, this is really great info.

One question I do have, is why do I have to NAT on both sides? I would like the remote office to be able to talk to the Data Center on its normal subnet (10.14.85.x) with no Nat. But I would like the remote site to appear as a different network to the Data Center (where the conflict really lies)

 

Does this make sense? Will this work?

Hi Bill,

Yes that would work as well as long as overlapping subnet is only on one side.
i.e. if the overlap is occurring only on Data Center , then you can perform only one natting to translate remote side's original IP.

Either source natting on remote side or destination natting on Data Center should suffice.

P.S Try to make STATIC nat so that traffic can be initiated bidirectionally.
 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

The data centers subnet (10.14.85.x) does not overlap it is the remote sites that are going to overlap (192.168.1.x) for example. Does that make sense?

With that being said I think I need to make the static NAT on the remote site so that when it gets to the Data Center it appears as a different IP address.

Does this make sense? Am I going down the right path?

And for the interesting traffic in the tunnel I use the NATed IPs, correct? Not the Pre-NATed IPs.

That's right, Billy

Only one side needs to be natted and we use translated IPs in crypto access-list.
HTH

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: