rickyclourenco
asked on
VPN Tunnel Same Subnet....what to do?
We are going establish a VPN tunnel between one of our Remote_A office and another External_Data_Center. The problem is that we both have the same subnets. Also, add in the fact that Remote_A is already established site-to-site VPN with Remote_B, Remote_A and Remote_B, are part of the same Domain and Company. External_Data_Center, is an external entitiy.
Current IP range:
Remote_A = 192.168.1.0/24
Remote_B = 192.168.100.0/24
External_Data_Center = 192.168.1.0/24
Remote_A and Remote_B are connected via Cisco PIX VPN
This is the extent of my knowledge on this situation, the problem is, that I am the Admin in the US, and this is the second hand information I am receiving from the Admin in Turkey....let me know if you need anything else
Essentially, my quesitons are...
1. Can I establish VPN connectivity with someone of the same Subnet and still distinguish the traffic?
2. If we have to change the IP range at the Remote_A location, what can we change it to that would still allow Remote_A and Remote_B to communicate?
Thanks!
Current IP range:
Remote_A = 192.168.1.0/24
Remote_B = 192.168.100.0/24
External_Data_Center = 192.168.1.0/24
Remote_A and Remote_B are connected via Cisco PIX VPN
This is the extent of my knowledge on this situation, the problem is, that I am the Admin in the US, and this is the second hand information I am receiving from the Admin in Turkey....let me know if you need anything else
Essentially, my quesitons are...
1. Can I establish VPN connectivity with someone of the same Subnet and still distinguish the traffic?
2. If we have to change the IP range at the Remote_A location, what can we change it to that would still allow Remote_A and Remote_B to communicate?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
However, you can make it work if both VPN devices support NAT at the right point in the stack.
AND you don't need to support any protocols that break if they are NAT'ed.
You may be able to use NAT, to map both sides to different addresses eg:
A = 192.168.1.0/24 <-> 10.0.1.0/24
B = 192.168.1.0/24 <-> 10.0.2.0/24
So if A wants to send traffic to B then it is addressed to 10.0.2.0/24.
So that B can reply, A must do source NAT for outbound packets so that although the packet is coming from 192.168.1.0/24, B will see it as coming from from 10.0.1.0/24.
Also B must source NAT 192.168.1.0/24 to 10.0.2.0/24 for outbound packets.
I am not sure regarding PIX, whether it is capable, perhaps someone else may have this answer.
AND you don't need to support any protocols that break if they are NAT'ed.
You may be able to use NAT, to map both sides to different addresses eg:
A = 192.168.1.0/24 <-> 10.0.1.0/24
B = 192.168.1.0/24 <-> 10.0.2.0/24
So if A wants to send traffic to B then it is addressed to 10.0.2.0/24.
So that B can reply, A must do source NAT for outbound packets so that although the packet is coming from 192.168.1.0/24, B will see it as coming from from 10.0.1.0/24.
Also B must source NAT 192.168.1.0/24 to 10.0.2.0/24 for outbound packets.
I am not sure regarding PIX, whether it is capable, perhaps someone else may have this answer.
ASKER
Ok, I was testing the 192.168.2.0/24 setting on a laptop, all i changed was the IP address, Subnet, Gateway, everything else remained the same, and I don't know why, but I can't connect to anything once I change the IP, and I would think that it would be able to connect since the subnet mask is 255.255.255.0....any ideas?
This is what is worrying me about re-numbering...
This is what is worrying me about re-numbering...
It is possible.
You need to NAT one subnet.
We have done it with PIX and a router.
Please go thru this document from cisco.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
You need to NAT one subnet.
We have done it with PIX and a router.
Please go thru this document from cisco.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
ASKER
BTW, I agree with you on the Double NAT'ing so to speak, I just don't want to overcomplicate this issue, because there aren't any Cisco Experts in house, and also, I'm unsure about the External_Data_Center, and what they are willing to do or not since I am not in direct contact with them, re-numbering is something that we are willing to do, as long as it doesn't break our CURRENT VPN TUNNEL, and we can still communicate with eachother.....
I don't think it will break our tunnel, because the tunnel is created based on our external IP addresses, and also, we are not using ACL's, we are allowing all IPSEC traffic to pass through.....but I could be wrong, thats why I want to ask on here
I don't think it will break our tunnel, because the tunnel is created based on our external IP addresses, and also, we are not using ACL's, we are allowing all IPSEC traffic to pass through.....but I could be wrong, thats why I want to ask on here
ASKER
Mianni - We would have to change to a class B subnet?
When you said you changed the ip address only on a laptop, did you also change the ip address of your gateway to reflect the new 192.168.2.0/24 subnet.
Can you confirm your settings ie:
Laptop = 192.168.2.X/24
Gateway = 192.168.X.X/24
Can you confirm your settings ie:
Laptop = 192.168.2.X/24
Gateway = 192.168.X.X/24
ASKER
I was typing everything out and FireFox CRASHED!! ahh!
Anyways, This is basically a dead issue for now, I'm waiting to hear input from our other site on this situation, but what I did was this...
Laptop IP = 192.168.2.2 Gateway = 192.168.100.1 Subnet = C-Class <--- didn't work
Change the Subnet to a B-Class on the Laptop and my desktop <-- then they could communicate, but still laptop cannot talk to the gateway
But this whole situation really became irrelevant because I thought about it and realized that the PIX is acting as my gateway, so therefore, it always knows how to route to the other subnet irregardless of what it is...hence how we are currently communicating with our current Site-to-Site connection....
I guess the only quesiton I still have would be which lines I have to change in the PIX if they change their internal LAN numbering at our other site..
I'm thinking its one of the lines below....let me know '
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.200 255.255.255.252
access-list inside_outbound_nat0_acl permit ip any 192.168.100.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.100.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.100.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
Anyways, This is basically a dead issue for now, I'm waiting to hear input from our other site on this situation, but what I did was this...
Laptop IP = 192.168.2.2 Gateway = 192.168.100.1 Subnet = C-Class <--- didn't work
Change the Subnet to a B-Class on the Laptop and my desktop <-- then they could communicate, but still laptop cannot talk to the gateway
But this whole situation really became irrelevant because I thought about it and realized that the PIX is acting as my gateway, so therefore, it always knows how to route to the other subnet irregardless of what it is...hence how we are currently communicating with our current Site-to-Site connection....
I guess the only quesiton I still have would be which lines I have to change in the PIX if they change their internal LAN numbering at our other site..
I'm thinking its one of the lines below....let me know '
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.200 255.255.255.252
access-list inside_outbound_nat0_acl permit ip any 192.168.100.192 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.100.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.100.192 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.100.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
Changing to a class B subnet will only aggravate the problem, because then hypothetically 192.168.1.X addresses are on the same piece of wire as 192.168.2.X.
Devices (if the ip stack is good) will start arping for these addresses, unless you are able to bridge across the VPN then routing is the best solution.
When you renumber your LAN to 192.168.2.0/24 make sure the PIX config also changes to suit this, then test connectivity to Remote_B.
If this does not work then you will need to check and perhaps paste the configuration of your PIX here, as there may be antispoofing rules or ACL's which may have been setup initially when you were using the previous addressing.
Devices (if the ip stack is good) will start arping for these addresses, unless you are able to bridge across the VPN then routing is the best solution.
When you renumber your LAN to 192.168.2.0/24 make sure the PIX config also changes to suit this, then test connectivity to Remote_B.
If this does not work then you will need to check and perhaps paste the configuration of your PIX here, as there may be antispoofing rules or ACL's which may have been setup initially when you were using the previous addressing.
By the looks of your ip addressing you are on the 192.168.100.0/24 subnet.
So changing your ip addressing won't fix the problem, one of the remote sites will need to change.
Hence you will need to add a line such as :
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
So changing your ip addressing won't fix the problem, one of the remote sites will need to change.
Hence you will need to add a line such as :
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
ASKER
Thats what I thought...
basically remove this line access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
and add the one you stated above...
basically remove this line access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
and add the one you stated above...
No, not remove the line you mentioned. Because if you want to have both tunnels working to 192.168.1.0 and 192.168.2.0 then it will need to stay.
ASKER
the 192.168.1.0 would be the network chaging to 192.168.2.0....
thats why I said remove the
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
and change it to
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
thats why I said remove the
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
and change it to
access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
yes but you will still have another 192.168.1.0 subnet which you still want to vpn to ???
Is this correct or am I getting ahead of myself ? There will be two subnets with the same address.
Is this correct or am I getting ahead of myself ? There will be two subnets with the same address.
ASKER
its a little confusing because there are 2 sites involved here, the lines above are representative of MY site in the US. So I would be changing my lines to match the office in India. India will be the one renumbering, so that they can connect to another company, which currently matches their 192.168.1.0 subnet. I'll let you know what happens, its going down this weekend or by Monday the latest...Thanks for the responses so far...like I said, I'm just keeping this open in case a problem DOES arise...
I was just thinking about something, maybe you can answer this, if USA connected to India, and India connected to Other_Company, will other company be able to connect to USA?
I was just thinking about something, maybe you can answer this, if USA connected to India, and India connected to Other_Company, will other company be able to connect to USA?
Not without trying to specifically do so.
If they (the other company) point their route/include 192.168.100.0/24 to the tunnel to India then India's PIX does source NAT for them, so traffic can get back.
If they (the other company) point their route/include 192.168.100.0/24 to the tunnel to India then India's PIX does source NAT for them, so traffic can get back.
ASKER
1. I have added the following lines to our PIX to accommodate for the new Subnet.
a. access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
b. access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
c. access-list inside_access_out permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
They made the re-numbering, and I didn't get a phone call or email for the whole weekend ;-)
come in today, and it was all done, and it worked perfrectly, thanks for the help Mianni.....
I'm going to be posting another question in regards to the Speed of the VPN Tunnel two PIX 506e's
a. access-list outside_cryptomap_20 permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
b. access-list inside_outbound_nat0_acl permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
c. access-list inside_access_out permit ip 192.168.100.0 255.255.255.0 192.168.133.0 255.255.255.0
They made the re-numbering, and I didn't get a phone call or email for the whole weekend ;-)
come in today, and it was all done, and it worked perfrectly, thanks for the help Mianni.....
I'm going to be posting another question in regards to the Speed of the VPN Tunnel two PIX 506e's
"2. If we have to change the IP range at the Remote_A location, what can we change it to that would still allow Remote_A and Remote_B to communicate?"
Any other address which is different to the ones used by Site A & B eg: 192.168.2.0/24