Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
2
Helpful
5
Replies

IPsec VPN with overlapping Network

wasiimcisco
Level 1
Level 1

‎04-05-2012 04:54 AM - edited ‎02-21-2020 05:59 PM

Hi

I am trying to make the site to site VPN b/w two sites but both sites are having 192.168.10.x/24 on both sites.

I want Site A to access the Site B network (192.168.10.x)  on 192.168.73.x

Site B access the Site A network on on real IP addess as actual LAN 192.168.80.0, 192.168.200,0 and 192.168.10.0

Site B will use 192.168.73.x when they want to access Site A subnets

Configuration for Site A is mention below

access-list acl-htts extended permit ip 192.168.80.64 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.80.89 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.80.62 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.210.125 255.255.255.255 192.168.73.0 255.255.255.0

access-list acl-httsa extended permit ip 192.168.200.86 255.255.255.255 192.168.73.0 255.255.255.0

static (inside,outside) 192.168.73.0 access-list acl-99

access-list acl-99 extended permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list acl-99 extended permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list acl-99 extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0

static (outside,inside) 192.168.73.0 192.168.10.0

Please let me know if the above configuration will work for me. I am confuse about the static configuration. Please assist

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎04-05-2012 05:56 AM

Hi,

The above configurations don't really match what you are describing before them. Also I think you need to NAT both sites source network since even though Site A might be connecting to another network (192.168.73.0/24) the Site B would still be seeing connections coming from network 192.168.10.0/24 on its outside interface while it has the same network on its inside.

I might have totally missunderstood the original post though

Lets look through all the information needed for the L2L VPN

Site A network(s):

  • 192.168.10.0/24 ( NAT 192.168.20.0/24 for example)
  • 192.168.80.0/24
  • 192.168.200.0/24

Site B  network(s):

  • 192.168.10.0/24 (NAT 192.168.73.0/24)

The L2L VPN encryption domain / interesting ACL and NAT configuraitons would be looking something like this

SiteA

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.20.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-L2L-VPN-ACL permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-VPN-NONAT remark NO NAT for the below networks

access-list SITE-A-VPN-NONAT permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0

access-list SITE-A-VPN-NONAT permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0

nat (inside) 0 access-list SITE-A-VPN-NONAT

access-list SITE-A-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0

static (inside,outside) 192.168.20.0 access-list SITE-A-VPN-POLICYNAT

The above configuration should do the following for SITE A

  • First ACL will define the source and destination networks for the L2L VPN connection. 2 of your local network will not be natted and show with their original addresses. The overlapping network 192.168.10.0/24 will be showing from a NATed network 192.168.20.0/24. Also the destination network is the network 192.168.73.0/24 which is NATed at SITE B device.
  • Second ACL and the nat (inside) 0 statements configure that your non-overlapping networks will be visible to the SITE B with their original addresses
  • Third ACL and static statement configure that your local overlapping network 192.168.10.0/24 will be showing with NAT network 192.168.20.0/24 to SITE B when its connecting to the remote network of 192.168.73.0/24

SiteB

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0

static (inside,outside) 192.168.73.0 access-list SITE-B-VPN-POLICYNAT

The above configuration should do the following for SITE B

  • First ACL will define the source and destination networks for the L2L VPN connection.Your source network will be the NATed network 192.168.73.0/24 of the real network 192.168.10.0/24. The destination networks will be SITE As NATed network 192.168.20.0/24 of their local network 192.168.10.0/24 and the NoNAT networks of 192.168.80.0/24 and 192.168.200.0/24
  • Second ACL and NAT statement tell that when SITE B local network 192.168.10.0/24 is connecting to any of the SITE A networks it will be NATed to the network 192.168.73.0/24

Hope I didnt mess up any configurations

Please rate if it was of any help

Ask more if something need clarification

- Jouni

wasiimcisco
Level 1
Level 1
In response to Jouni Forss

‎04-05-2012 08:51 AM

Hi,

Thanks for the detail reply but I dont have any administrative control for the Site B network. I am only managing Site A network which has the LAN IP address

192.168.80.0

192.168.200.0

192.168.10.0

I want to give my all users 192.168.73.0 network as remote Site B network (which is 192.168.10.x).

All the traffic from my LAN should appear at the Site B network as coming from 192.168.73.x source.

All configuration I need only my firewall. When traffic from Site B comes to my firewall it should translate 192.168.10.0 network of Site B into 192.168.73.x.

How i can achieve this without doing NAT on the Site B network.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to wasiimcisco

‎04-05-2012 09:10 AM

Hmm,

So you want to NAT overlapping networks and in the process overlap them again?

0 Helpful

wasiimcisco
Level 1
Level 1
In response to Jouni Forss

‎04-05-2012 10:48 AM

Yes, because I dont want to do the extra configuration on the Site B network because I dont have any control over their.

I want to do all the configuration for the overlapping network etc on my side and let the site B configure the standardard VPN configuration.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to wasiimcisco

‎04-05-2012 11:53 AM

Hi,

To be honest I cant see how this would work when you consider that you would tell the VPN device that the source and destination network are both the same for both sites.

Or I just have missunderstood this thing completely.

Though I've got to say that all these NAT and VPN configurations are the easiest when both endpoints handle their NAT configurations seperately. So if its in any way possible I suggest you get someone to handle the configurations on the other end so that you dont have to deal with the situation alone.

0 Helpful
Customers Also Viewed These Support Documents