09-28-2005 07:54 AM - edited 02-21-2020 02:00 PM
I need to implement 3 VPN tunnels back to my office. My main problem is two of the sites are using same IP schema.
My office is 192.168.240.x /24
Site 1 is 10.1.1.x /24
Site 2 is 172.16.1.x /24
Site 3 is 10.1.1.x /24
I know how to create a vpn tunnel to Site 1 and 2. But I am not sure how to add Site 3 into the picture.
I also need to make sure that no one can ride my vpn tunnel from site one site to another site.
Any and all help is greatly appreciated.
Thanks a million in advance.
-Rajeev
09-29-2005 10:56 AM
Easiest and best plan in the long run is to change one of the site's Network ranges, or split them in half (site 1 uses 10.1.1.0/25 and site 3 uses 10.1.1.128/25.
Otherwise you'd have to set up some sort of bridging rather than routing between the sites, which increases the broadcast domain to travel over the WAN. This is undesirable at best.
09-30-2005 01:35 PM
I will not be able to change the IP address at any site because they are separate clients, and are in full production.
09-29-2005 09:31 PM
Rajeev ca you please tell us what VPN device you are using VPN Concentrator or Pix Firewall
09-30-2005 07:02 AM
Rajeev
I agree that it will be helpful to know what kind of devices you are working with. Some of the alternatives would depend on which platform you are using.
I assume that the addresses you have given are the inside addresses of the remotes. What are the outside addresses? Are the remote sites doing any address translation? It seems to me that if site 1 and site 3 are using the same addressing scheme for their inside networks, that your solution will be to do some kind of address translation for one of the sites as it enters the central network.
The alternatives for preventing one remote site from communicating with another remote site will depend on what platform is being used for VPN.
HTH
Rick
09-30-2005 02:49 PM
All the clients have real IP address on the outside interfaces... they are doing some NAT on web servers.
Thanks for all the help...
10-01-2005 08:10 AM
Rajeev
So long as each client has a unique (real) IP address on the outside interface then setting up IPSec can be done without much difficulty. You peer to the unique IP address.
What will make implementing this difficult is a routing issue. If you have a packet with destination address 10.1.1.4 which VPN tunnel should it go through? I do not know of a way to solve this other than through some Network Address translation. I think that the optimum solution would be to get one of the clients to translate addresses on traffic that they send to you.
HTH
Rick
09-30-2005 01:44 PM
Site 1 and 3 has a PIX 515E 6.3
Site 2 has a Cisco 871 12...
In my office I have a PIX 515E 6.3
10-03-2005 04:42 AM
You really will have to seriously consider assisting one site in changing their network's address ranges.
Until that occurs you could use some sort of 1-1 NAT strategy on one of the sites, but you'll have to setup maps for EACH and EVERY machine, and you'll have to do them all statically, if you want to be able to reliably get to certain machines--no using a pool of 255 addresses mapping to the network segment.
I'd implement this on one site, and look at migrating them over. If they're using DHCP it's not super difficult, just set up the new range one night, and switch it over. In the morning they all change. Then you can take care of any servers. Of course if they have any programs, or scripts with IPs defined rather than DNS names, it might be a bit more work, but really an unavoidable result of tying disparate networks together.
10-03-2005 07:31 AM
you can install another router on site1 or site3 to do another nat.
e.g.
from site1 lan <--> pix515e <--> vpn/www <--> your office
to site1 lan <--> router <--> pix515e <--> vpn/www <--> your office
the router can nat the original 10.1.1.x to 10.1.2.x, so from your office point of view, the remote peer net is 10.1.2.x not 10.1.1.x. also you don't have to change the site1 net scheme.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: