Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN with same subnet ranges

Hello,

We need to setup a VPN from London to our Milan office, however we have got the same IP ranges each side of the tunnel.  Milan users only need to access London servers, London users do not need to access Milan servers.

Please see the simple attach diagram.  we don't manage the Mialn VPN/Firewall (SonicWall)

What can we do to get round this please.

6 REPLIES

Re: VPN with same subnet ranges

You can NAT one side before sending data across the tunnel. Here's a configuration guide-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Hope that helps.

New Member

Re: VPN with same subnet ranges

This is my exact same problem, but I need to implement the solution on a Cisco 881 - some of the commands are different, most notably the 'static (inside,outside) ...' command - what would be the equivalent for the 881?

Re: VPN with same subnet ranges

I assumed you had ASAs since your diagram showed firewalls. Anyway, here's a link on how to do it with routers.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

New Member

Re: VPN with same subnet ranges

Hi Collin,

It's probably my bad network drawing skills, London is an ASA and Milan is a SonicWall.  The SonicWall is not managed by me, and the people in Milan don't know how to use so they  have to get someone in costing money.  Is there any way I can control this all from my ASA? They (only 5 users) only need to access servers on the inside of my ASA in London.

I was theory thinking, if we created a VPN from London to Milan where the SA's were 2 different subnets we don't use that way the phase 1 and phase 2 will be complete, then we have to then fix the NAT or PAT?

e.g The subnets that clash are all on the 192.168.x.x/24 range (some clash some don'y - messy), so the SA's could be:

Milan  - 172.16.1.0/24

London - 172.16.2.0/24

I'm thinking if Milan only need to come inbound to London, and they need to get to a server in London on IP 192.168.21.1 (actual IP) then I could tell Milan it's on 172.16.1.10 so the traffic comes over the VPN to London which see a request for 172.16.1.10 which NAT's to 192.168.21.1.

Apologies if I'm sounding basic

Re: VPN with same subnet ranges

I may be off here , but your theory is exactly what you want to do, but you really only do it on one side. Unfortunately there is a caveat in this scenario (at least with Cisco equipment). The tunnel can only be established from one side. By that I mean Milan can send interesting traffic to London and the tunnel will be built. If the tunnel is down and London wants to connect to Milan, the tunnel will never be built. This doesn't fit well since you have no control over Milan and it's a Sonicwall. Would it be easier/cheaper to re-address Milan?

New Member

Re: VPN with same subnet ranges

I see what you mean. They (Milan) will be adding a couple of

our routers to their icmp polling servers to check the VPN is up, this should help I guess in the short term.?

4718
Views
0
Helpful
6
Replies
CreatePlease to create content