Announcement

Collapse
No announcement yet.

NAT with VPN Site to Site and Remote LANs with same IP address

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NAT with VPN Site to Site and Remote LANs with same IP address

    Hello
    I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).
    For every remote Lan I translate the network client in an only IP address
    For instance
    Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24
    Client2 172.16.0.0/16 Dynamic PAT (hide) a.b.c.2/24
    Client3 172.17.4.0/26 Dynamic PAT (hide) a.b.c.3/24
    ...
    Everything is working fine but now I have a new client with the same IP network as client1
    I tried
    Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24
    But when I did it the client1 loose the connection and i had to remove the clientn network ...

    Do you have an idea to permit same remote IP addresses to use VPN ?
    For information i use ASDM to setup the ASA.


    Regards
    Laurent
    Sorry for my english ...

  • #2
    Re: NAT with VPN Site to Site and Remote LANs with same IP address

    The same IP network cannot be used in more than one location, ever. In a situation like this, you have three choices:
    1. NAT the network at the remote end
    2. Renumber the network at the remote end
    3. Renumber the conflicting network at the other client site

    The first solution would involve reconfiguring the router/firewall at the remote end. There's nothing you can do at your end to NAT incoming IPsec traffic, as the packets would have to be decrypted before NAT could be performed, and the SA definition at the remote end would of course refer to the non-NATed IP addresses. Catch-22.

    Comment

    Working...
    X