topic Re: internal subnet of a tunnel vpn equal to my internal subnet in Firewall and Security Management

Re: internal subnet of a tunnel vpn equal to my internal subnet

fabiofabio — Fri, 22 Apr 2022 06:40:56 GMT

sorry if i'm wrong, as i said before i never dealt with nat. But from what I've read, wouldn't a hide nat on their side be enough? so the subnet I want comes directly to me

Re: internal subnet of a tunnel vpn equal to my internal subnet

G_W_Albrecht — Fri, 22 Apr 2022 07:42:26 GMT

Always the best solution is to change one of the overlapping networks ! Using NAT is surely possible for a single VPN tunnel, but as soon as more tunnels and more overlapping networks add up, configuration gets harder and harder !

Re: internal subnet of a tunnel vpn equal to my internal subnet

fabiofabio — Fri, 22 Apr 2022 07:47:55 GMT

Certainly! in fact I have more vpn tunnels and this is the first time that I happen to have to use the nat to work around the problem. So do you recommend using hide nat or static nat? and in what way?

Re: internal subnet of a tunnel vpn equal to my internal subnet

G_W_Albrecht — Fri, 22 Apr 2022 07:55:17 GMT

I recommend to change the overlapping internal network. The alternative is a lot of headache:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

Re: internal subnet of a tunnel vpn equal to my internal subnet

fabiofabio — Fri, 22 Apr 2022 08:01:11 GMT

in this case, it is a very large subnet, I cannot change it. I will try to convince the supplier to change it, but if it is not even possible on his part, how is it possible to solve with the nat?

Re: internal subnet of a tunnel vpn equal to my internal subnet

G_W_Albrecht — Fri, 22 Apr 2022 08:44:45 GMT

The alternative is some headache😉:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

Re: internal subnet of a tunnel vpn equal to my internal subnet

Bob_Zimmerman — Fri, 22 Apr 2022 13:24:05 GMT

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

Re: internal subnet of a tunnel vpn equal to my internal subnet

G_W_Albrecht — Mon, 25 Apr 2022 09:21:05 GMT

This works good for two peers in one community, but tends to go more complicated for every peer added.

Re: internal subnet of a tunnel vpn equal to my internal subnet

Bob_Zimmerman — Mon, 25 Apr 2022 16:24:37 GMT

At least it's a constant complexity overhead per connection to another company. I have about 250 such connections right now, and it's not too bad.