Cisco Support Community
Community Member

Overlapping VPN


Having a doubts in Site to site VPN,

I have 3 customer, cust1--- cust2 ---- cust3,

the private ip address is ,

Cust1 ---- (PIX)

Cust2 ---- (Checkpoing Nokia)

Cust3 ---- (ASA)

connectivity is Cust1 ---- Cust2 ---- Cust3

| | |

I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip address range. So, when establishing a VPN tunnel in Cust2 with cust2 to cust1 & cust2 to cust 3, there will be a confict between the series range.

HEre is the config what i have done in the pix(Cust1)

static (inside,outside) access-list TICTAC

access-list TICTAC permit ip

crypto ACL:

access-list crypto permit ip

access-list nonat permit ip host

nat (inside) 0 access-list nonat

show run | i global|nat|access-list

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

I am able to ping the cust2 private ip range through VPN, but unable to browse the internet in cust1

Note: Each cust having an individual internet.

Can anyone help me out. is there anything am missing



Cisco Employee

Re: Overlapping VPN

I would remove the nonat you have configured on the inside for the traffic that is going through. You want to nat the traffic as specified by your static.

PS. If you found this post helpful, please rate it.

Community Member

Re: Overlapping VPN

Had Remove the nonat statement, nothing is happening:-(

Cisco Employee

Re: Overlapping VPN

Manoj you need to go step by step then. Figure out what is going on with the packet.

1) What is the packet source, and where is it destined?

2) When it hits the ASA's inside interface, does it hit any ACLs?

3) If no ACLs where does routing say it should go? Outside interface or another interface?

4) Is the packet supposed to be NAT'd? If yes, then are the NAT statements correct?

5) If its supposed to be encrypted after the NAT, are the crypto acl's correct and is crypto applied to the interface that the packet is supposed to be going out of.

6) What do the logs show?

Re: Overlapping VPN


Any luch with your scenario; I ve the same problem and no sollution yet.

What I want to know if a packet reaches the router which is gonna be first? The NAT operation or it will get tunneled?




Re: Overlapping VPN

Nat will happen first. Why don't you post up more info about your problem...

Re: Overlapping VPN


I have an ASA firewall tunneling it's behind to a Checkpoint NGX. The trouble is that already exists behind Checkpoint as a connected network.

Nevertheless my VPN has to connect with

So I concluded NAT is needed only on ASA side, right?

The VPN got up immediately, still I don't have connectivity between sites.

I attached the specific config on ASA; please mention show crypto ipsec sa shows only decrypted packages but no encrypted ones!

What have I missed?



CreatePlease to create content