Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site-to-site VPN private IP space overlap

I am building a site-to-site VPN on my ASA with an organization that is using the same IP space on their LAN. I am thinking about doing static translation for my 10.x.x.x/10 before it hits the VPN tunnel, but I am not realy excited with that solution. Does anyone have any other suggestions? Thank you.

8 REPLIES
Hall of Fame Super Blue

Re: Site-to-site VPN private IP space overlap

Vlad

I sympathise with how you feel about this as NAT is often a last resort but if you are both using the same address space you have 2 choices really

1) Readdress one set of clients

2) NAT one set of clients.

1 is very impractical so that really leaves 2 and unless you can persuade the partner to do the NAT it will have to be done on your firewall.

Jon

Community Member

Re: Site-to-site VPN private IP space overlap

Jon,

I had that feeling, but I thought maybe there was another way, something magical I can do on the ASA. Thanks for your response.

Silver

Re: Site-to-site VPN private IP space overlap

1) Readdress one set of clients

2) NAT one set of clients.

That is not true. If both sides use the same IP addresses, NAT will have

to be done on BOTH sides. For example:

LAN_A: 192.168.1.0/24

LAN_B: 192.168.1.0/24

In this example, you will do something like:

When LAN_A goes to LAN_B, you have to nat the source of LAN_A to

10.0.1.0/24 and the destination of LAN_B to 10.0.2.0/24. When

the traffics get to LAN_B, you keep the source traffics as 10.0.1.0/24

but you have to "de-nat" the destination from "10.0.2.0/24" back to

192.168.1.0/24

When LAN_B goes to LAN_A, you have to nat the source of LAN_B to

10.0.2.0/24 and the destination of LAN_B to 10.0.1.0/24. When

the traffics get to LAN_A, you keep the source traffics as 10.0.2.0/24

but you have to "de-nat" the destination from "10.0.1.0/24" back to

192.168.1.0/24.

ASA can definitely do this. The issue is the complexity you will have

especially when you have other VPN tunnels on the same ASA firewall,

in addition to other NAT/PAT.

CCIE Security

Hall of Fame Super Blue

Re: Site-to-site VPN private IP space overlap

David

"If both sides use the same IP addresses, NAT will have

to be done on BOTH sides."

Well that's not strictly correct either. It all depends on whether or not both sides need to initiate connections or it is just one side that needs to initiate connections.

We know the ASA can do this but Vlad was asking if there was any other way.

So next time, before you jump in and tell people they are wrong perhaps you could take a moment to ensure what you are saying is right. We all make mistakes and get things wrong but there are perhaps better ways of expressing it.

Lastly, signing out with CCIE Security does nothing, at least for me, to back up your arguments. There are many CCIE's on these forums and none of them seem to feel the need to express it in the way you do.

Jon

Hall of Fame Super Blue

Re: Site-to-site VPN private IP space overlap

David

Feeling a complete idiot as i have now realised that yes you do need to NAT both sides. I mixed it up with having to statically NAT or dynamically NAT depending on whether both sides need to initiate connections or not.

Sincere apologies for the mistake and yes i can see the irony in what i wrote !.

Jon

Silver

Re: Site-to-site VPN private IP space overlap

Everyone makes mistake including myself,

many times, I may add.

I remembered the VPN with IP overlap example

from the day I worked with an Managed Security

Service Provider (MSSP) and I had to do this

for a customer. I used Checkpoint on my end

but the customer had Cisco Pix on their end.

It took me about 5 minutes to setup this

scenario on the Checkpoint side. On the

Cisco side, it took the customer about 8

hours because they had so many VPNs and NAT.

They accidentally took down 20 VPN tunnels

on their side because of this double NAT

configuration. For configuration like this,

you need to consider it very carefully because

you will have to support it later.

Last but not least, I used the "CCIE Security"

as a way to poke fun at myself. I am

cisco certified but I spend about 99% of my

time working on Checkpoint product. How

ironic :-(

Community Member

Re: Site-to-site VPN private IP space overlap

Hi,

My Question is can i NAT the Inside host IP address 172.16.XX.XX to a public IP address. my partner wants to NAT with Public IP, if i don't convince him then we will end routing my server 172.17.X.X to public address through VPN. IS this recommended ? or can we do a double NAT to make sure that we don't route traffic to Public IP directly even through VPN. please suggest me.

Silver

Re: Site-to-site VPN private IP space overlap

"My Question is can i NAT the Inside host IP address 172.16.XX.XX to a public IP address. my partner wants to NAT with Public IP,"

Yes, you can.

"server 172.17.X.X to public address through VPN. IS this recommended ? or can we do a double NAT to make sure that we don't route traffic to Public IP directly even through VPN."

You CAN route public IPs over VPN. There are

no restrictions for this. You just have

to find a way that suited best for both of you

and your partner. Last but not least, keep

it simple so that it will be easier to

maintain in the future.

my 2c

393
Views
5
Helpful
8
Replies
CreatePlease to create content