Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple VPN tunnels to Data Center with overlapping networks

Hello guys,

We are beginning to host applications for clients that need Windows trusts(maybe?) and full IP access to a Class C subnet in our data center.

My problem is most of our clients are small mom and pop shops IPed to 192.168.1.x. I plan to install my own Cisco ASA in each of these sites and create a VPN back to the data center for access to the application. The last 2 sites I did, I re-IPed the network to a scheme of mine. I am beginning to run into though clients that we simply host the app for and I cannot really make them Re-IP their network if they do not want to.

 

My question is what are my options here? I assume some type of NAT, but I am not really sure how that would work. With a Windows trust the communication needs to be 2-way. If we didn't have the trusts I could see this working no problem with a simple NAT right? What firewall would you guys do the NAT on? The remote end or Data Center?

Any help and guidance is appreciated.

I am a complete Cisco network, ASAs, Catalysts, Routers, etc.....

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Billy,Basically, for

Hi Billy,

Basically, for overlapping networks, you will perform natting on both sites for the interesting traffic.
If you have overlapping networks, you can follow this link if you are using Cisco ASAs and this link for Cisco routers as VPN termination devices.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

5 REPLIES
Cisco Employee

Hi Billy,Basically, for

Hi Billy,

Basically, for overlapping networks, you will perform natting on both sites for the interesting traffic.
If you have overlapping networks, you can follow this link if you are using Cisco ASAs and this link for Cisco routers as VPN termination devices.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

New Member

Thank you, this is really

Thank you, this is really great info.

One question I do have, is why do I have to NAT on both sides? I would like the remote office to be able to talk to the Data Center on its normal subnet (10.14.85.x) with no Nat. But I would like the remote site to appear as a different network to the Data Center (where the conflict really lies)

 

Does this make sense? Will this work?

Cisco Employee

Hi Bill,Yes that would work

Hi Bill,

Yes that would work as well as long as overlapping subnet is only on one side.
i.e. if the overlap is occurring only on Data Center , then you can perform only one natting to translate remote side's original IP.

Either source natting on remote side or destination natting on Data Center should suffice.

P.S Try to make STATIC nat so that traffic can be initiated bidirectionally.
 

New Member

The data centers subnet (10

The data centers subnet (10.14.85.x) does not overlap it is the remote sites that are going to overlap (192.168.1.x) for example. Does that make sense?

With that being said I think I need to make the static NAT on the remote site so that when it gets to the Data Center it appears as a different IP address.

Does this make sense? Am I going down the right path?

And for the interesting traffic in the tunnel I use the NATed IPs, correct? Not the Pre-NATed IPs.

Cisco Employee

That's right, BillyOnly one

That's right, Billy

Only one side needs to be natted and we use translated IPs in crypto access-list.
HTH

 

415
Views
0
Helpful
5
Replies
CreatePlease login to create content