I have Cisco PIX 525 running in my network with inside network pool 172.16.0.0/16. I already have 2 Site to Site VPN tunnel running on same firewall with 2 remote locations with other than 172.0.0.0/16 subnets in 2 remote locations.
Now I got new remote site for which we need to create Site to Site VPN tunnel, but the issue is the remote site inside network is also using 172.16.0.0/16 network.
I check the options where we can do the NAT on both side and establish communications.
But my question is, if we create NAT for 172.16.0.0 for 3rd side can I communicate with 2 other site with 172.16.0.0/16 network or not ???
I can not change Inside Network at my side as well as remote site.
So please suggest the solution to setup communication between all three sites without making changes in inside network of all sites.
Unless you have a very large networks on both sides I really doubt you are using the whole /16 network?
With regards to the above Static Policy NAT I would suggest only configuring it for the specific smaller subnets that you are using. Otherwise you will have to NAT the 172.16.0.0/16 network to another /16 sized NAT network?
Naturally you could utilize the network 10.0.0.0/8 for this in the following way for example
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip 172.16.0.0 255.255.0.0
This would NAT the network 172.16.0.0/16 to 10.255.0.0/16. This would mean that host 10.255.100.100 would equal to 172.16.100.100 and so on.
Also notice that the in the above configuration examples is the network the the Remote Site uses as their NAT network (so not the actual 172.16.0.0/16 network)
If only your sites hosts need to connect to the remote site then you could always configure Dynamic Policy PAT so that all your internal users would show up from behind a single PAT IP address.
Whichever NAT you use you will have to take this into account in the Crypto ACL configured in the "crypto map" configurations so that your source address for the L2L VPN is the NAT network (10.255.0.0/16 for example)
Unless you have a very large networks on both sides I really doubt you are using the whole /16 network?
With regards to the above Static Policy NAT I would suggest only configuring it for the specific smaller subnets that you are using. Otherwise you will have to NAT the 172.16.0.0/16 network to another /16 sized NAT network?
Naturally you could utilize the network 10.0.0.0/8 for this in the following way for example
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip 172.16.0.0 255.255.0.0
This would NAT the network 172.16.0.0/16 to 10.255.0.0/16. This would mean that host 10.255.100.100 would equal to 172.16.100.100 and so on.
Also notice that the in the above configuration examples is the network the the Remote Site uses as their NAT network (so not the actual 172.16.0.0/16 network)
If only your sites hosts need to connect to the remote site then you could always configure Dynamic Policy PAT so that all your internal users would show up from behind a single PAT IP address.
Whichever NAT you use you will have to take this into account in the Crypto ACL configured in the "crypto map" configurations so that your source address for the L2L VPN is the NAT network (10.255.0.0/16 for example)
