cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3612
Views
0
Helpful
6
Replies

IPSEC Tunnel - Duplicate Remote networks

Ranbeckycr_2
Beginner
Beginner

Hello All,

I have to create an IPSEC tunnel to two different networks providers that have the same Internal Network.

This is my setup

ServerA ----- PIX(6.3)----------Router1---------------Vpn tunnel--------- Remote RouterA (i have no control)  LAN 192.168.1.x /24  (already working)

                         |

                         |--------------Router2---------------VPN tunnel---------Remote Router B (i have no control) LAN 192.168.1.x /24  (new Tunnel, DUPLICATE)  

Server A= ip 10.16.2.10, gateway 10.16.2.1

Server A= Static NAT 10.16.2.10  10.16.5.10 (dmz interface)

Pix= Inside interface 10.16.2.1, pix dmz 10.16.5.1

Dmz interface has access to the internet, i have 2 separate routers with different ISP, both working.

Router1= 10.16.5.60

Router2- 10.16.5.70

~~ PROBLEM:  I can not route to two different networks with the same ip address.  The pix already has a static default route to the 192.168.1.x/24 network.  I have 2 separate routers, with 2 different ISP's.

Is there a way for me to NAT, or change the new network (192.168.1.x) to a different subnet internally on my Cisco Routers?

Thank you,

Randall

PS= i was looking at this article but it doesn't seem to apply:

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

1 Accepted Solution

Accepted Solutions

This should work.

interface f0/0

ip nat inside

interface f0/1

ip nat outside

ip nat inside source static network 192.168.1.0 22.22.22.0 /24

The on PIX, point 22.22.22.0/24 to router2

Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B

View solution in original post

6 Replies 6

Yudong Wu
Rising star
Rising star

If your VPN is terminated on Router2, you should be able to NAT 192.168.1.x to something else on router 2, then on PIX, you just need to add a route to point to router 2 for the NAT-ed IP. If you can provide router2 configuration, we can give you a detail suggestion.

Yudong Wu,

Thank you for your time. Yes, my tunnel terminates on the cisco Router2.  I can't figure out how to perform the nat on the 192.168.1.x network.

I will point the route on the pix to the new network that we specify.  Please feel free to suggest your ideal configuration.

I have a standard VPN on the Cisco Router, nothing fancy, just the default.

version 12.4

hostname RandallRouter

!

boot system flash c1841-advsecurityk9-mz.124-15.T7.bin

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

!

crypto isakmp key 123456 address 2.2.2.2

crypto isakmp keepalive 15 periodic

!

crypto ipsec transform-set IpsecVPN esp-3des esp-md5-hmac

!

crypto map 3desmap 23 ipsec-isakmp

set peer 2.2.2.2

set transform-set IpsecVPN

match address IpsecVPN

!

interface FastEthernet0/0

description OUTSIDE

ip address dhcp client-id FastEthernet0/0

crypto map 3desmap

!

interface FastEthernet0/1

ip address 10.16.5.70 255.255.255.0

ip route 0.0.0.0 0.0.0.0 3.3.3.3

ip access-list extended IpsecVPN

permit ip 10.16.5.0 0.0.0.255 host 192.168.1.29

Thank you for your help! :-)

This should work.

interface f0/0

ip nat inside

interface f0/1

ip nat outside

ip nat inside source static network 192.168.1.0 22.22.22.0 /24

The on PIX, point 22.22.22.0/24 to router2

Now all the application/server behind PIX will need to send traffic to 22.22.22.x if it wants to talk to 192.168.1.x behind router B

Very interesting, we apply the "inside" NAT for a Remote network.  Looks easy once you know how to do it. :-)

----  Quick question, the crypto ACL should be specified with the 192.168.1x network or with the 22.22.22.x network?

Once again, thanks!

Crypto ACL should still use "192.168.1.x".

I really appreciate your help, I rated you with the Highest possible rating.  Have a good one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers