Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fabiofabio
Collaborator
Jump to solution

Re: internal subnet of a tunnel vpn equal to my internal subnet

sorry if i'm wrong, as i said before i never dealt with nat. But from what I've read, wouldn't a hide nat on their side be enough? so the subnet I want comes directly to me

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

View solution in original post

(1)
8 Replies
G_W_Albrecht
Legend Legend
Legend

Always the best solution is to change one of the overlapping networks ! Using NAT is surely possible for a single VPN tunnel, but as soon as more tunnels and more overlapping networks add up, configuration gets harder and harder !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
fabiofabio
Collaborator

Certainly! in fact I have more vpn tunnels and this is the first time that I happen to have to use the nat to work around the problem. So do you recommend using hide nat or static nat? and in what way?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I recommend to change the overlapping internal network. The alternative is a lot of headache:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
fabiofabio
Collaborator

in this case, it is a very large subnet, I cannot change it. I will try to convince the supplier to change it, but if it is not even possible on his part, how is it possible to solve with the nat?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

The alternative is some headache😉:

sk170812: Route Based VPN solution for Overlapping Encryption Domains

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority

The NAT solution is really simple. You pick a NAT block for them to use, and they pick a NAT block for you to use. Each side applies the NATs for their own addresses using the NAT block provided by the peer. That way, you always talk with a block of addresses you know don't overlap with anything in our environment, they always talk with addresses which they know don't overlap with anything in their environment. Within the tunnel, it will be the addresses they selected for you and the addresses you selected for them, with no real addresses at all. Works for VPNs or WAN links, and keeps everything unambiguous.

(1)
G_W_Albrecht
Legend Legend
Legend

This works good for two peers in one community, but tends to go more complicated for every peer added.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Bob_Zimmerman
Authority
Authority

At least it's a constant complexity overhead per connection to another company. I have about 250 such connections right now, and it's not too bad.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events