Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN L2L Cisco-Watchguard on the same subnet


I have a problem with a VPN Lan-to-Lan between a Cisco 850 (12.4) and a Watchguard (11.1). I need to NAT the two private addresses because, on the Watchguard side, the Cisco subnet is already used. I have no problem to create the VPN tunnel and I see it up and running on the two devices but I cannot browse the LAN.

Some informations:

LAN1 = Cisco

LAN1 private address =

LAN1 nat =

LAN1 public address =

LAN2 = Watchguard
LAN2 private address =
LAN2 nat =
LAN2 public address = 88.57.ghi.jkl

This is the Cisco configuration for the VPN:

crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXX address 88.57.ghi.jkl
crypto isakmp keepalive 20 5
crypto isakmp aggressive-mode disable
crypto ipsec transform-set LAN2LANSET esp-3des esp-sha-hmac
crypto map LANTOLANMAP 20 ipsec-isakmp
set peer 88.57.ghi.jkl
set transform-set LAN2LANSET
match address 120
no ip source-route
no ip gratuitous-arps
ip cef
no ip domain lookup
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
ip address
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
  encapsulation aal5snap
crypto map LANTOLANMAP
interface Vlan1
ip address
ip nat inside
ip virtual-reassembly
ip route ATM0.1
ip nat inside source route-map NONAT interface ATM0.1 overload
access-list 110 deny   ip
access-list 110 deny   ip
access-list 110 permit ip any
access-list 120 permit ip
route-map NONAT permit 10
match ip address 110

With this configuration I can browse the internet but NOT the VPN tunnel (because, I suppose, there is no NAT). If I add this:

ip nat inside source static network /24 no-alias

I can browse the tunnel but not the internet (because, I think, I redirect all the traffic through the tunnel). Is there a way to solve this situation? For the record, I cannot buy other hardware or change the two subnet addresses.


Everyone's tags (4)
CreatePlease to create content