Showing results for 
Search instead for 
Did you mean: 

Overlapping VPN


Having a doubts in Site to site VPN,

I have 3 customer, cust1--- cust2 ---- cust3,

the private ip address is ,

Cust1 ---- (PIX)

Cust2 ---- (Checkpoing Nokia)

Cust3 ---- (ASA)

connectivity is Cust1 ---- Cust2 ---- Cust3

| | |

I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip address range. So, when establishing a VPN tunnel in Cust2 with cust2 to cust1 & cust2 to cust 3, there will be a confict between the series range.

HEre is the config what i have done in the pix(Cust1)

static (inside,outside) access-list TICTAC

access-list TICTAC permit ip

crypto ACL:

access-list crypto permit ip

access-list nonat permit ip host

nat (inside) 0 access-list nonat

show run | i global|nat|access-list

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0 0

I am able to ping the cust2 private ip range through VPN, but unable to browse the internet in cust1

Note: Each cust having an individual internet.

Can anyone help me out. is there anything am missing



Cisco Employee

I would remove the nonat you have configured on the inside for the traffic that is going through. You want to nat the traffic as specified by your static.

PS. If you found this post helpful, please rate it.

Had Remove the nonat statement, nothing is happening:-(

Manoj you need to go step by step then. Figure out what is going on with the packet.

1) What is the packet source, and where is it destined?

2) When it hits the ASA's inside interface, does it hit any ACLs?

3) If no ACLs where does routing say it should go? Outside interface or another interface?

4) Is the packet supposed to be NAT'd? If yes, then are the NAT statements correct?

5) If its supposed to be encrypted after the NAT, are the crypto acl's correct and is crypto applied to the interface that the packet is supposed to be going out of.

6) What do the logs show?

Florin Barhala
Frequent Contributor


Any luch with your scenario; I ve the same problem and no sollution yet.

What I want to know if a packet reaches the router which is gonna be first? The NAT operation or it will get tunneled?



Nat will happen first. Why don't you post up more info about your problem...


I have an ASA firewall tunneling it's behind to a Checkpoint NGX. The trouble is that already exists behind Checkpoint as a connected network.

Nevertheless my VPN has to connect with

So I concluded NAT is needed only on ASA side, right?

The VPN got up immediately, still I don't have connectivity between sites.

I attached the specific config on ASA; please mention show crypto ipsec sa shows only decrypted packages but no encrypted ones!

What have I missed?



Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad