[VPN] LAN-to-LAN with Overlapping networks and PAT

Siddhartha Jain losttoy2000 at yahoo.co.uk
Fri Apr 1 10:19:24 EST 2005

--- Josh Higham <jhigham at pyrontechnologies.com> wrote:
> You need to define your PAT list to not translate
> VPN traffic:
> access-list 163 deny ip
> access-list 163 permit ip any

If traffic is left untranslated then packets entering
the tunnel from Site A will have a source address of
10.250.x.x. This means that the packets sent by hosts
on Site B will bear a destination IP of 10.250.x.x.
But is already being used by Site B so the
packets won't enter the IPSec router at Site B and
could end up being erroneously routed inside Site B's

The solution could be bi-directional NAT at Site B's
router but I don't control that.

I could do bi-directional NAT on my router at Site A
but I am already PAT-ting the 10.250.x.x network to
64.aa.bb.cc pool. 

<Sigh> And Cisco routers don't support policy NAT
unlike Cisco PIX.

Please do point out any flaws in my reasoning.

Thanks for replying,

- Siddhartha Jain (CISSP)

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the VPN mailing list