01-14-2014 09:34 PM - edited 03-11-2019 08:30 PM
Dear Friends,
I have Cisco PIX 525 running in my network with inside network pool 172.16.0.0/16. I already have 2 Site to Site VPN tunnel running on same firewall with 2 remote locations with other than 172.0.0.0/16 subnets in 2 remote locations.
Now I got new remote site for which we need to create Site to Site VPN tunnel, but the issue is the remote site inside network is also using 172.16.0.0/16 network.
I check the options where we can do the NAT on both side and establish communications.
But my question is, if we create NAT for 172.16.0.0 for 3rd side can I communicate with 2 other site with 172.16.0.0/16 network or not ???
I can not change Inside Network at my side as well as remote site.
So please suggest the solution to setup communication between all three sites without making changes in inside network of all sites.
Thanks in advance for your support. !!!
Solved! Go to Solution.
01-15-2014 04:07 AM
Hi,
Both sites will need to perform NAT for their networks so there wont be any overlap.
On your side you can configure Static Policy NAT so that it only applies when connecting to the new Remote site behind the L2L VPN connection.
The basic configuration format is this
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip
static (inside,outside)
Unless you have a very large networks on both sides I really doubt you are using the whole /16 network?
With regards to the above Static Policy NAT I would suggest only configuring it for the specific smaller subnets that you are using. Otherwise you will have to NAT the 172.16.0.0/16 network to another /16 sized NAT network?
Naturally you could utilize the network 10.0.0.0/8 for this in the following way for example
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip 172.16.0.0 255.255.0.0
static (inside,outside) 10.255.0.0 access-list L2LVPN-POLICYNAT
This would NAT the network 172.16.0.0/16 to 10.255.0.0/16. This would mean that host 10.255.100.100 would equal to 172.16.100.100 and so on.
Also notice that the
If only your sites hosts need to connect to the remote site then you could always configure Dynamic Policy PAT so that all your internal users would show up from behind a single PAT IP address.
Whichever NAT you use you will have to take this into account in the Crypto ACL configured in the "crypto map" configurations so that your source address for the L2L VPN is the NAT network (10.255.0.0/16 for example)
Hope this helps
- Jouni
01-15-2014 04:07 AM
Hi,
Both sites will need to perform NAT for their networks so there wont be any overlap.
On your side you can configure Static Policy NAT so that it only applies when connecting to the new Remote site behind the L2L VPN connection.
The basic configuration format is this
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip
static (inside,outside)
Unless you have a very large networks on both sides I really doubt you are using the whole /16 network?
With regards to the above Static Policy NAT I would suggest only configuring it for the specific smaller subnets that you are using. Otherwise you will have to NAT the 172.16.0.0/16 network to another /16 sized NAT network?
Naturally you could utilize the network 10.0.0.0/8 for this in the following way for example
access-list L2LVPN-POLICYNAT remark Static Policy NAT for LAN
access-list L2LVPN-POLICYNAT permit ip 172.16.0.0 255.255.0.0
static (inside,outside) 10.255.0.0 access-list L2LVPN-POLICYNAT
This would NAT the network 172.16.0.0/16 to 10.255.0.0/16. This would mean that host 10.255.100.100 would equal to 172.16.100.100 and so on.
Also notice that the
If only your sites hosts need to connect to the remote site then you could always configure Dynamic Policy PAT so that all your internal users would show up from behind a single PAT IP address.
Whichever NAT you use you will have to take this into account in the Crypto ACL configured in the "crypto map" configurations so that your source address for the L2L VPN is the NAT network (10.255.0.0/16 for example)
Hope this helps
- Jouni
01-15-2014 12:01 PM
Thanks Jouni,
I will try to get it configure and write you in case i stuck somewhere.
Thanks again for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide