Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2950
Views
0
Helpful
4
Replies

Multiple Site-to-Site VPNs - Same Subnets

Go to solution
caiobomani
Level 1
Level 1

‎04-22-2019 05:04 AM

Hello everyone.

 

I'm currently in a scenario that made me think if it would work.

 

My firewall is a VPN hub to several partners that peer with me with private IP addresses.

 

So far, i've managed to do not let any partner private subnet overlap, but right now I'm without options.

 

Basically all partners peer with my firewall in order to reach the internal IP x.x.x.x.

 

In this scenario, I'll have two different partners with subnets 10.0.0.0/24 and 10.0.0.0/25 attempting to reach the x.x.x.x IP address inside the IPSec tunnel. Will that work? I assume the traffic will be routed based on the SPI, but I'm not sure what exactly will be the result of that scenario.

 

Does anyone had a similar scenario? Would that work?

 

Thanks,

 

Caio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
caiobomani
Level 1
Level 1
In response to balaji.bandi

‎04-24-2019 04:50 AM

I've actually made it work without any NAT.

 

Partner 1

Interesting traffic

Remote: 192.168.0.18/32

Local: x.x.x.x/32

 

Partner 2

Interesting traffic

Remote: 192.168.0.0/24

Local: x.x.x.x/32

 

Both seems to be working (since the partner 2 is not using the IP 0.18).

 

Thanks,

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
caiobomani
Level 1
Level 1
In response to balaji.bandi

‎04-22-2019 11:55 AM

Thank you Balaji.

 

In that scenario I understand that he's attempting to make the networks (that overlap) talk to each other.

 

In my scenario I dont neet to have the networks talking to each other. I need both partners (with overlapping networks) to talk to my IP address.

I'm wondering if that would work or if i should force the NAT from one of the peers.

 

Thanks,

 

Caio

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to caiobomani

‎04-22-2019 12:39 PM

Thats is example scenario i have provided to undestand.

 

In routing percept you need to do one of the site NAT since both can not be same IP address range.

 

Make sense ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
caiobomani
Level 1
Level 1
In response to balaji.bandi

‎04-24-2019 04:50 AM

I've actually made it work without any NAT.

 

Partner 1

Interesting traffic

Remote: 192.168.0.18/32

Local: x.x.x.x/32

 

Partner 2

Interesting traffic

Remote: 192.168.0.0/24

Local: x.x.x.x/32

 

Both seems to be working (since the partner 2 is not using the IP 0.18).

 

Thanks,

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents