Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5054
Views
0
Helpful
6
Replies

VPN with same subnet ranges

Andy White
Level 3
Level 3

‎02-09-2010 06:27 AM

Hello,

We need to setup a VPN from London to our Milan office, however we have got the same IP ranges each side of the tunnel.  Milan users only need to access London servers, London users do not need to access Milan servers.

Please see the simple attach diagram.  we don't manage the Mialn VPN/Firewall (SonicWall)

What can we do to get round this please.

Labels:
Preview file
67 KB
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎02-09-2010 06:55 AM

You can NAT one side before sending data across the tunnel. Here's a configuration guide-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Hope that helps.

0 Helpful

hardware
Level 1
Level 1
In response to Collin Clark

‎02-09-2010 07:26 AM

This is my exact same problem, but I need to implement the solution on a Cisco 881 - some of the commands are different, most notably the 'static (inside,outside) ...' command - what would be the equivalent for the 881?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to hardware

‎02-09-2010 08:09 AM

I assumed you had ASAs since your diagram showed firewalls. Anyway, here's a link on how to do it with routers.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

0 Helpful

Andy White
Level 3
Level 3
In response to Collin Clark

‎02-12-2010 01:50 AM

Hi Collin,

It's probably my bad network drawing skills, London is an ASA and Milan is a SonicWall.  The SonicWall is not managed by me, and the people in Milan don't know how to use so they  have to get someone in costing money.  Is there any way I can control this all from my ASA? They (only 5 users) only need to access servers on the inside of my ASA in London.

I was theory thinking, if we created a VPN from London to Milan where the SA's were 2 different subnets we don't use that way the phase 1 and phase 2 will be complete, then we have to then fix the NAT or PAT?

e.g The subnets that clash are all on the 192.168.x.x/24 range (some clash some don'y - messy), so the SA's could be:

Milan  - 172.16.1.0/24

London - 172.16.2.0/24

I'm thinking if Milan only need to come inbound to London, and they need to get to a server in London on IP 192.168.21.1 (actual IP) then I could tell Milan it's on 172.16.1.10 so the traffic comes over the VPN to London which see a request for 172.16.1.10 which NAT's to 192.168.21.1.

Apologies if I'm sounding basic

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Andy White

‎02-12-2010 09:10 AM

I may be off here , but your theory is exactly what you want to do, but you really only do it on one side. Unfortunately there is a caveat in this scenario (at least with Cisco equipment). The tunnel can only be established from one side. By that I mean Milan can send interesting traffic to London and the tunnel will be built. If the tunnel is down and London wants to connect to Milan, the tunnel will never be built. This doesn't fit well since you have no control over Milan and it's a Sonicwall. Would it be easier/cheaper to re-address Milan?

0 Helpful

Andy White
Level 3
Level 3
In response to Collin Clark

‎02-13-2010 08:18 AM

I see what you mean. They (Milan) will be adding a couple of

our routers to their icmp polling servers to check the VPN is up, this should help I guess in the short term.?

0 Helpful
Customers Also Viewed These Support Documents