[VPN] LAN-to-LAN with Overlapping networks and PAT
losttoy2000 at yahoo.co.uk
Fri Apr 1 10:19:24 EST 2005
--- Josh Higham <jhigham at pyrontechnologies.com> wrote:
> You need to define your PAT list to not translate
> VPN traffic:
> access-list 163 deny ip 10.250.0.0 0.0.255.255
> 192.168.40.0 0.0.0.255
> access-list 163 permit ip 10.250.0.0 0.0.255.255 any
If traffic is left untranslated then packets entering
the tunnel from Site A will have a source address of
10.250.x.x. This means that the packets sent by hosts
on Site B will bear a destination IP of 10.250.x.x.
But 10.0.0.0/8 is already being used by Site B so the
packets won't enter the IPSec router at Site B and
could end up being erroneously routed inside Site B's
The solution could be bi-directional NAT at Site B's
router but I don't control that.
I could do bi-directional NAT on my router at Site A
but I am already PAT-ting the 10.250.x.x network to
<Sigh> And Cisco routers don't support policy NAT
unlike Cisco PIX.
Please do point out any flaws in my reasoning.
Thanks for replying,
- Siddhartha Jain (CISSP)
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the VPN