Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
k_b
Contributor
Jump to solution

VPN overlapping source networks

Dear all,

We are currently implementing a new VPN appliance and are thinking about how to handle potential overlapping networks. I am aware that this is a quite redundant topic and that there are several other posts concerning overlapping IP addresses spaces in the VPN context and possible solutions to handle this, but I could extract a final answer for my question from these posts. Beside of the assumption that there is no solution to what we try to achieve, but I would like to give it a last try. A lot of the provided solutions are considering the implementation of NAT rules. Depending on the use case, NAT is suggested to be implemented on requesting or responding side.

What we want to achieve

We would like to provide the customers the option to use what ever network they want to use. In the worst case, every customer should be able to use the same network range for the communication. We would also like to avoid implementing NAT on the customer side. Every required adjustment should take place on our side.

What we have considered so far

  1. First the hope exists that there would be a possibility to do some kind of Pool NAT per customer. So, before any access policy or native NAT rules, the gateway would assign the clients via the VPN configuration a source (and thus also a destination) network range. All further network and NAT rules would only consider the assigned Pool NAT range which was assigned from our side so that overlapping can be avoided. Due to this mapping within the VPN configuration, the gateway would know were and how to route the pakets. This approach seems to be not possible or even considerable.
  2. Any standard source and destination NAT on a single gateway / cluster will also not help. There would be overlapping enryption domains, not clear routing and possible other issues.
  3. Route based VPN is an other approach but this will also not enable us to do what we want to do, because it also can not route the same destinations to different interface. We would require a kind of VRF which leads to the last point.
  4. All I can think about for now is: Create a VS on a VSX for every customer and implement NAT on this VS. This VS would only be the entry gate to the network and would route to the "real" firewall and gateways. But this would require many public IP addresses and would cost quite alot due to the required VS licences.

Do you have any other idea or is there no possibility to implement what we are trying to achieve?

With kind regards

0 Kudos
1 Solution

Accepted Solutions
Magnus-Holmberg
Advisor

One VS per customer and use CGNAT.

https://www.youtube.com/c/MagnusHolmberg-NetSec

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Given those requirements, you're basically stuck with providing a separate VS for each customer to terminate their VPN on.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Only solution would be to use RA VPN with OfficeMode on every client instead of S2S VPN.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Magnus-Holmberg
Advisor

One VS per customer and use CGNAT.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
k_b
Contributor

Thank you all for your replies. I feared that the answers would be like they happened to be. Atleast we now have some more clarity and can continue our planning.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events