Re: PIX 515e - Site2Site VPN with Duplicate IP address(s)

rshendrix · ‎03-31-2004

I need to create a site-2-site vpn with a new vendor. Both sites are using the 10.x.x.x network addressing scheme. The problem is that the IP address on our network (ex 10.1.2.3) is already being used on the vendors network. They suggest that I translate my 10.1.2.3 to something like 10.1.22.33 for them.

How can I go about accomplishing this? My PIX is already configured for remote access VPN - not site-to-site as of yet.

Thanks for any pointers.

drolemc · ‎04-06-2004

You can use bi-directional translation to make the two private LANs with overlapping address space communicate over the IPSec tunnel. The configuration is as shown in the document at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml.

rshendrix · ‎05-03-2004

Well, I'm back on this since I have to go back to the overlapping address. All is currently working - now I just have to change the IP to one that is already being used.

I have looked at the article and it appears to show me what I need to do, however, I don't fully understand the comment in the config example that says

"Static translation defined Private_LAN1 from 192.168.4.0/24 to 20.1.1.0/24

Note that this translation will be used for both VPN and Internet traffic from Private_LAN1. So a routable global IP address range, or an extra NAT at the ISP router (in front of the PIX), will be required if Private_LAN1 also needs internal access."

My internal address being translated definitely needs access to the internet and is also used by the remote VPN connections.

Can anyone help me see things a littler clearer??