[VPN] LAN-to-LAN with Overlapping networks and PAT

Siddhartha Jain losttoy2000 at yahoo.co.uk
Fri Apr 1 10:19:24 EST 2005


--- Josh Higham <jhigham at pyrontechnologies.com> wrote:
> You need to define your PAT list to not translate
> VPN traffic:
> access-list 163 deny ip 10.250.0.0 0.0.255.255
> 192.168.40.0 0.0.0.255
> access-list 163 permit ip 10.250.0.0 0.0.255.255 any
> 

If traffic is left untranslated then packets entering
the tunnel from Site A will have a source address of
10.250.x.x. This means that the packets sent by hosts
on Site B will bear a destination IP of 10.250.x.x.
But 10.0.0.0/8 is already being used by Site B so the
packets won't enter the IPSec router at Site B and
could end up being erroneously routed inside Site B's
network.

The solution could be bi-directional NAT at Site B's
router but I don't control that.

I could do bi-directional NAT on my router at Site A
but I am already PAT-ting the 10.250.x.x network to
64.aa.bb.cc pool. 

<Sigh> And Cisco routers don't support policy NAT
unlike Cisco PIX.

Please do point out any flaws in my reasoning.

Thanks for replying,

- Siddhartha Jain (CISSP)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the VPN mailing list