Solved: Connecting to two remote sites with same network IP

ja raju · ‎06-09-2011

Hi guys,

I have two remote sites with the same IP range: 10.0.0.0/24.

I need to configure L2L VPN to these two remote sites from the main site. I know that I need to perform NAT on one of the sites. I've already configured VPN for Site A but not yet for Site B.

How can I get access to both of the remote sites from my 172.24.103.0/24 network? How do i do the NAT?

Thank you in advanced.

milan.kulik · ‎06-10-2011

Hi,

you could try NAT for overlapping networks, see

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml

or

http://www.cisco.com/application/pdf/paws/13774/3.pdf

But as Paolo said, it's a nightmare :-(

HTH,

Milan

View solution in original post

Jon Marshall · ‎06-10-2011

I have had to do this too many times ! Unfortunately Paolo when the 3rd party is a different company you can't simply tell them to readdress and to do as you say. And when your own management tells you it is imperative this company connects no matter what it takes, you unfortunately do have to get messy. But i agree that it is far from ideal.

To the OP, it can be done as Milan points out. The first thing you need to do is to identify which devices at each need to connect to each other so you can work out the NATs you need to do. You also need to know where the connections will be initiated from ie.

1) only from your company to the remote site

2) from the remote site to your company

3) both ways

this will dictate how you set the NAT up.

But as both Paolo and Milan have said, it is messy, and can take a while to get working correctly.

Jon

View solution in original post

paolo bevilacqua · ‎06-09-2011

Do not use the same subnet for both sites.

Renumber one and you will have perfect connectivity without tricks and stuff that always causes trouble.

ja raju · ‎06-09-2011

The problem is, both are client sites and I can't get them redo their IP network.

Any other options?

milan.kulik · ‎06-10-2011

Hi,

you could try NAT for overlapping networks, see

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_configuration_example09186a0080093f30.shtml

or

http://www.cisco.com/application/pdf/paws/13774/3.pdf

But as Paolo said, it's a nightmare :-(

HTH,

Milan

paolo bevilacqua · ‎06-10-2011

You can, you are the Network Engineer, and when abou the network, they must do what you say.

Jon Marshall · ‎06-10-2011

I have had to do this too many times ! Unfortunately Paolo when the 3rd party is a different company you can't simply tell them to readdress and to do as you say. And when your own management tells you it is imperative this company connects no matter what it takes, you unfortunately do have to get messy. But i agree that it is far from ideal.

To the OP, it can be done as Milan points out. The first thing you need to do is to identify which devices at each need to connect to each other so you can work out the NATs you need to do. You also need to know where the connections will be initiated from ie.

1) only from your company to the remote site

2) from the remote site to your company

3) both ways

this will dictate how you set the NAT up.

But as both Paolo and Milan have said, it is messy, and can take a while to get working correctly.

Jon

paolo bevilacqua · ‎06-10-2011

Jon,

I know what you mean. However from me the answer is always "do you tell to a doctor what is imperative ?".

I also had customers trying the kludges first, then coming back to me willing to renumber.

Don't let end users dictate how networking is done. That is your job and you're paid to do it right, not wrong.

ja raju · ‎06-13-2011

Yea... it's going to have to be messy I guess.

One of those client sites might have some spare public IP, so I planning to do the NAT on their end.

Have to see how that goes