Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN subnet conflict

I have a site to site VPN between Site A and Site B.  Can I create another site to site VPN between Site A and Site C when Site C has the same subnet as Site B?  Is there some way to NAT one of the sites or do I have to re-IP?  Thanks!

Site A (10.10.10.0/24) and Site B (192.168.1.0/24)
Site A (10.10.10.0/24) and Site C (192.168.1.0/24)

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

VPN subnet conflict

Yes that can be done. Site B or site C has to hide their addresses with a subnet without conflict. If B and C want to communicate with each other, both have to hide their addresses. This works because NAT is done before IPSec. So you specify your translation and your crypto-ACLs have to use the translated addresses.

From my experiance: Don't do it! If the sites are not to big do a renumbering. Thats only one weekend with maximum pain and no sleep. But the double NAT is an ongoing pain.

Third solution: If you have already some IPv6 experiance and you only need communication to some servers, the you can deploy them dual-stack and ignore zhe IPv4 conflicting addresses.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

1 REPLY
VIP Purple

VPN subnet conflict

Yes that can be done. Site B or site C has to hide their addresses with a subnet without conflict. If B and C want to communicate with each other, both have to hide their addresses. This works because NAT is done before IPSec. So you specify your translation and your crypto-ACLs have to use the translated addresses.

From my experiance: Don't do it! If the sites are not to big do a renumbering. Thats only one weekend with maximum pain and no sleep. But the double NAT is an ongoing pain.

Third solution: If you have already some IPv6 experiance and you only need communication to some servers, the you can deploy them dual-stack and ignore zhe IPv4 conflicting addresses.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

1005
Views
0
Helpful
1
Replies
CreatePlease to create content