https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622180#M1035762 <HTML><HEAD></HEAD><BODY><P>if you can upload a drawing of this, i'll get you going.</P></BODY></HTML> Wed, 29 Nov 2006 14:16:20 GMT bhooker 2006-11-29T14:16:20Z https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622179#M1035760 <P>I have a site to site VPN being set up between 2 515s, each running 6.3(5).</P><P></P><P>We have overlapping encryption domains (the servers we need to access at the remote location are in a network we already have locally defined).</P><P></P><P>How can I overcome this?</P><P></P><P>Servers at the remote site are exposed to the internet for public access.</P><P></P><P>I believe the cookie cutter solution is to create static translations for all the servers we need to access (to public IPs) and then our match list ACL just references the public IPs (after translations). Some of the servers at the remote site however are not internet facing and I would prefer to not have to A) use up public IPs with statics and B) not add translations to public IPs unless absolutely needed...(you know...defense in depth, another layer of security all that jazz...if someone adds a broad ACL by mistake it doesnt immediatly expose my internal servers if they dont have public translations in place).</P><P></P><P>Do I have any options?</P><P></P><P>I had this grand plan where I was hide-NATing traffic leaving my end and creating a network block static on the other end mapping the servers to a virtual non-routable network. Then I would hit these non-routable IPs that I made up to access the servers. Sadly I didnt look 2 steps ahead and realize this would preclude me from being able to add the public xlates required to expose these servers to the internet.</P><P></P><P>Any other ideas?</P> Mon, 11 Mar 2019 09:01:58 GMT https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622179#M1035760 slug420 2019-03-11T09:01:58Z https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622180#M1035762 <HTML><HEAD></HEAD><BODY><P>if you can upload a drawing of this, i'll get you going.</P></BODY></HTML> Wed, 29 Nov 2006 14:16:20 GMT https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622180#M1035762 bhooker 2006-11-29T14:16:20Z https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622181#M1035764 <HTML><HEAD></HEAD><BODY><P>Would this help you.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml" target="_blank">http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml</A></P><P></P><P></P><P>Gilbert</P></BODY></HTML> Wed, 29 Nov 2006 15:52:59 GMT https://community.cisco.com/t5/network-security/overcoming-overlapping-encryption-domains/m-p/622181#M1035764 ggilbert 2006-11-29T15:52:59Z