topic Re: VPN issue - overlap subnet in Network Security

VPN issue - overlap subnet

jigsaw2026 — Fri, 21 Feb 2020 09:40:57 GMT

Hi,

I only have a basic VPN understanding and I'm in a bit of a mess...

The problem that I'm facing is that I have a client that has the same private ip subnet as myself. I understand that I need to perform NAT but the issue is that I want to perform NAT for one subnet for one client only, leaving all else the same.

Looking at the config (I have a 3640), I would think I need something like this:

interface Ethernet0/1

ip address x.x.x.x 255.255.255.0

ip nat inside

crypto map wwmap

route-map test permit 10

match ip address 110

access-list 110 permit ip 172.16.0.0 0.0.255.255 172.28.0.0 0.0.255.255

ip nat inside source static 172.16.0.50 172.28.0.50 route-map test

Where 172.16.0.0/16 is the source subnet and 172.28.0.0/16 is what I want to NAT to. Also, I only have one host (172.16.0.50) that they need to access.

They will perform similar their end so I just see their 172.16.0.0/16 as its NATted address.

How to I ensure that no other NATting takes place? I assume as my config stands all else would fail?

Any help much appreciated. All articles I find assume that you want NAT to take place for all out going traffic but this is not the case.

Thank you,

Re: VPN issue - overlap subnet

Jon Marshall — Thu, 13 Sep 2007 10:21:47 GMT

Can you clarify.

Your source IP addresses: 172.16.0.0/16

You want to NAT these addresses to 172.28.0.0/16.

What addresses are the remote site presenting their 172.16.0.0/16 addresses as ?

Jon

Re: VPN issue - overlap subnet

jigsaw2026 — Thu, 13 Sep 2007 10:51:45 GMT

Hi Jon,

Thanks for responding.

They will be presenting as 172.30.0.0/16.

I didn't include it as I assumed from my end I would just treat them as such...

Thank you,

Re: VPN issue - overlap subnet

Jon Marshall — Thu, 13 Sep 2007 11:11:42 GMT

1) Your clients accessing the remote end

access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.0.0 0.0.255.255

ip nat pool NATPOOL 172.28.0.0 172.28.255.254 netmask 255.255.0.0

ip nat inside source list 110 pool NATPOOL

Your crypto access-list should look something like this

access-list vpntraffic permit ip 172.28.0.0 0.0.255.255 172.30.0.0 0.0.255.255

2) The individual server

access-list 111 permit ip host 172.16.0.50 host 172.28.0.50

ip nat inside source static 172.16.0.50 172.28.0.50 route_map nat_ip

route-map nat_ip permit 10

match ip address 111

NOTE: This will need testing. 172.16.0.50 is included in the 172.16.0.0 range so it might not get natted to the IP address you want.

HTH

Jon

Re: VPN issue - overlap subnet

jigsaw2026 — Fri, 14 Sep 2007 08:08:47 GMT

Hi,

Thank you so much for your help, it's much appreciated!

Can I please pick your brain some more? I have had more clarification now - their 172.16.0.0/16 subnet will not be used to connect to us (it's more a routing issue for them), so no NAT is being performed their end.

We basically have 2 servers on that subnet that their users on subnet 192.168.1.0/24 will be contacting, and that is all.

So, I think that your point 1 is probably not required here?...this is my revised configuration after studying point 2 -

#to allow their subnet to access the NATted subnet

access-list 111 permit 192.168.1.0 0.0.0.255 172.28.0.0 0.0.255.255

#staic NAT for each server

ip nat inside source static 172.16.0.50 172.28.0.50 route_map nat_ip

ip nat inside source static 172.16.0.100 172.28.0.100 route_map nat_ip

#route map

route-map nat_ip permit 10

match ip address 111

Do I need a ip nat inside on my inside interface? And if so, will this have an affect on the rest of the traffic that's not being NATted?

Also, will this work now for calls from 192.168.0.0/24 coming into our servers?

Many thanks, I'm sorry if this is really obvious!!!

Re: VPN issue - overlap subnet

Jon Marshall — Fri, 14 Sep 2007 15:27:17 GMT

Hi J

Apologies for delay in getting back.

You will need a "ip nat inside" on your inside interface and an "ip nat outside" on your outside interface.

No it will only effect the traffic you have included in your access-list.

Yes it should work for connections initiated from 192.168.0.0/24 clients.

No need to apologize, NAT is not one of the most obvious things to be honest.

Also, as with any changes you need to implement these out of hours if possible. What should work in theory often has a way of not in practice 🙂

Jon

Re: VPN issue - overlap subnet

jigsaw2026 — Mon, 17 Sep 2007 13:34:39 GMT

Hi Jon,

Well... I've implemented the changes (out of hours!) and it all works!

Thank you so much for all of your help - I would have been stuck without you so it's very much appreciated.

Re: VPN issue - overlap subnet

Jon Marshall — Mon, 17 Sep 2007 13:36:20 GMT

Glad to have helped. Thanks for getting back and appreciate the rating.

Jon