cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4115
Views
0
Helpful
6
Replies

IPSEC Tunnel - Duplicate Remote networks

Ranbeckycr_2
Level 1
Level 1

Hello All,

I have to create an IPSEC tunnel to two different networks providers that have the same Internal Network.

This is my setup

ServerA ----- PIX(6.3)----------Router1---------------Vpn tunnel--------- Remote RouterA (i have no control)  LAN 192.168.1.x /24  (already working)

                         |

                         |--------------Router2---------------VPN tunnel---------Remote Router B (i have no control) LAN 192.168.1.x /24  (new Tunnel, DUPLICATE)  

Server A= ip 10.16.2.10, gateway 10.16.2.1

Server A= Static NAT 10.16.2.10  10.16.5.10 (dmz interface)

Pix= Inside interface 10.16.2.1, pix dmz 10.16.5.1

Dmz interface has access to the internet, i have 2 separate routers with different ISP, both working.

Router1= 10.16.5.60

Router2- 10.16.5.70

~~ PROBLEM:  I can not route to two different networks with the same ip address.  The pix already has a static default route to the 192.168.1.x/24 network.  I have 2 separate routers, with 2 different ISP's.

Is there a way for me to NAT, or change the new network (192.168.1.x) to a different subnet internally on my Cisco Routers?

Thank you,

Randall

PS= i was looking at this article but it doesn't seem to apply:

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

1 Accepted Solution

Accepted Solutions

This should work.

interface f0/0

ip nat inside

interface f0/1

ip nat outside

ip nat inside source static network 192.168.1.0 22.22.22.0 /24

The on PIX, point 22.22.22.0/24 to router2

Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B

View solution in original post

6 Replies 6

Yudong Wu
Level 7
Level 7

If your VPN is terminated on Router2, you should be able to NAT 192.168.1.x to something else on router 2, then on PIX, you just need to add a route to point to router 2 for the NAT-ed IP. If you can provide router2 configuration, we can give you a detail suggestion.

Yudong Wu,

Thank you for your time. Yes, my tunnel terminates on the cisco Router2.  I can't figure out how to perform the nat on the 192.168.1.x network.

I will point the route on the pix to the new network that we specify.  Please feel free to suggest your ideal configuration.

I have a standard VPN on the Cisco Router, nothing fancy, just the default.

version 12.4

hostname RandallRouter

!

boot system flash c1841-advsecurityk9-mz.124-15.T7.bin

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key 123456 address 2.2.2.2

crypto isakmp keepalive 15 periodic

!

crypto ipsec transform-set IpsecVPN esp-3des esp-md5-hmac

!

crypto map 3desmap 23 ipsec-isakmp

set peer 2.2.2.2

set transform-set IpsecVPN

match address IpsecVPN

!

interface FastEthernet0/0

description OUTSIDE

ip address dhcp client-id FastEthernet0/0

crypto map 3desmap

!

interface FastEthernet0/1

ip address 10.16.5.70 255.255.255.0

ip route 0.0.0.0 0.0.0.0 3.3.3.3

ip access-list extended IpsecVPN

permit ip 10.16.5.0 0.0.0.255 host 192.168.1.29

Thank you for your help! :-)

This should work.

interface f0/0

ip nat inside

interface f0/1

ip nat outside

ip nat inside source static network 192.168.1.0 22.22.22.0 /24

The on PIX, point 22.22.22.0/24 to router2

Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B

Very interesting, we apply the "inside" NAT for a Remote network.  Looks easy once you know how to do it. :-)

----  Quick question, the crypto ACL should be specified with the 192.168.1x network or with the 22.22.22.x network?

Once again, thanks!

Crypto ACL should still use "192.168.1.x".

I really appreciate your help, I rated you with the Highest possible rating.  Have a good one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: