[VPN] Re: fw1 site to site vpn subnet conflict

Smith, Duane Duane.Smith at nasa.gov
Thu Aug 31 18:01:40 EDT 2006 

We have a similar configuration involving a datacenter that wanted us to
interface with servers in a 10.x network. I don't see why you can't use
the nat'ing solution in both directions. They set the nat'ing rule up on
their end and we connect to them just fine. They had to add an IP
address from a different 10.y subnet to a few of their servers and nat
the 10.y so that the nat rule would not apply to other integrations
where the 10.x was already in production. In short: why is you nat rule
"directional"?

drs

-----Original Message-----
From: vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com
[mailto:vpn-bounces+duane.smith=msfc.nasa.gov at lists.shmoo.com] On Behalf
Of Ken Livingston
Sent: Thursday, August 31, 2006 8:32 AM
To: vpn at lists.shmoo.com
Subject: [VPN] Re: fw1 site to site vpn subnet conflict

I take it that it would be too much to change either your private
network subnet or the subnet on the other end which conflicts with
yours?  I think that's going to be the only thing you can do in this
case.  If the individual devices on the remote end don't need access to
the rest of their network, you can try changing their default gateway to
the IP address of the VPN endpoint on the remote side and that should
allow their traffic to pass through the VPN correctly, but they won't be
able to access the other network subnets on their own side.

Maybe someone else have other ideas but I think you'll have to change
one side or the other in order to make this work properly.

Undrhil

----- Original Message -----
From: "zoe" <zmmay at hotmail.com>
To: <vpn at lists.shmoo.com>
Sent: Wednesday, August 30, 2006 11:30 AM
Subject: [VPN] fw1 site to site vpn subnet conflict


> Hi
>
> I have a site to site vpn with a client (fw1 at each end). I only have
one
> private subnet behind my firewall but my client has many and
> one of these conflicts with mine.
> Initially I only needed this connection to work one way (us --> them)
so
I
> put a manual nat rule in place which hide nats my /24 behind
> a different private /24 for connections to the client. This works fine
>
> Now I have been asked to enable inbound traffic to certain hosts from
the
> client (them --> us). They can't use the real addresses of my
> hosts as they would be routed to their own network. Any suggestions on
how
> this can be done (if at all)? I have tried a few things including
adding
> static nat inbound to the few hosts they need to access but have had
no
> success. I can post more config if anyone thinks they can help
>
> Thanks
>
> Zoe
>
>
>
>
>
>


------------------------------------------------------------------------
---
-----


> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list