Site to Site VPN duplicate subnets

10-15-2009, 08:36 PM

I hope someone has an easy answer for this....

We're trying to setup a Site to Site VPN between our office and a hospital.
The hospital already has a Site to Site VPN setup with another host using the same local subnet as we use. They are not able to get the other host to change their configuration. We have dozens of other Site to Site VPNs up and running... so we can't easily change ours.

Any ideas?

thanks!

--chuck

chuckbudreau

L8ians · 10-17-2009, 09:38 PM

To establish a site to site VPN
the local subnet of your office and the hospital can not be the same.
the local subnet on both ends should be different.

L8ians

L8ians · 10-18-2009, 05:13 PM

we can also apply NAT and check if it works.

L8ians

chuckbudreau · 10-19-2009, 02:15 PM

If I do NAT for this connection it will break all of my other connections. That would be just almost as bad as changing my local subnet. Unless there's a way to do NAT for only one connection?

--chuck

chuckbudreau

L8ians · 10-21-2009, 03:55 PM

Thats true....
can you give me the model no of both the VPN routers? so that i can check it out of any possible configuration.

L8ians

chuckbudreau · 10-22-2009, 01:53 PM

I posted this on another forum and they suggested I use a Policy NAT to achieve the results I'm looking for. After reviewing the suggestion it looks good.

Here's what they came up with...

access-list POLICY_NAT permit ip host 192.1.1.6 10.1.1.0 255.255.255.0
static (inside,outside) 10.1.2.6 access-list POLICY_NAT

where 192.1.1.6 is my inside address, 10.1.1.0 is the remote LAN Network, and 10.1.2.6 is the new NAT'd address.

I'm going to try to implement this today.

Thanks for the suggestions.

--chuck

chuckbudreau

chuckbudreau · 10-22-2009, 08:36 PM

As a follow-up for anyone trying this... It works!

The only issue is that since I have a PIX 506E the GUI interface on the PIX does not support Policy NAT. Once you enter a Policy NAT on the PIX it disables the Configuration options in the GUI(PDM) interface. So if you are up on your CLI you're going to have fun trying to do further changes to the configuration on the PIX.

Thanks for the input guys!

--chuck

chuckbudreau

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Route multiple subnets over pix vpn	p0liX	Hardware	1	06-29-2009 03:54 PM
cisco - diff subnets on same interface	frige	Hardware	0	08-17-2006 10:26 PM
Is there a tool to locate duplicate lines in a file ?	rofarmer	Software	0	08-17-2006 06:58 PM
Duplicate copies of OS	johnkarmon	Software	2	08-05-2006 06:04 AM
duplicate files	-D-	A+ Certification	0	02-22-2004 01:02 AM

10-15-2009, 08:36 PM	#1
	Site to Site VPN duplicate subnets I hope someone has an easy answer for this.... We're trying to setup a Site to Site VPN between our office and a hospital. The hospital already has a Site to Site VPN setup with another host using the same local subnet as we use. They are not able to get the other host to change their configuration. We have dozens of other Site to Site VPNs up and running... so we can't easily change ours. Any ideas? thanks! --chuck chuckbudreau

10-17-2009, 09:38 PM	#2
L8ians Junior Member Join Date: Jul 2009 Posts: 7	To establish a site to site VPN the local subnet of your office and the hospital can not be the same. the local subnet on both ends should be different. L8ians

10-18-2009, 05:13 PM	#3
L8ians Junior Member Join Date: Jul 2009 Posts: 7	we can also apply NAT and check if it works. L8ians

10-19-2009, 02:15 PM	#4
chuckbudreau Junior Member Join Date: Jul 2007 Posts: 7	If I do NAT for this connection it will break all of my other connections. That would be just almost as bad as changing my local subnet. Unless there's a way to do NAT for only one connection? --chuck chuckbudreau

10-21-2009, 03:55 PM	#5
L8ians Junior Member Join Date: Jul 2009 Posts: 7	Thats true.... can you give me the model no of both the VPN routers? so that i can check it out of any possible configuration. L8ians

10-22-2009, 01:53 PM	#6
chuckbudreau Junior Member Join Date: Jul 2007 Posts: 7	I posted this on another forum and they suggested I use a Policy NAT to achieve the results I'm looking for. After reviewing the suggestion it looks good. Here's what they came up with... access-list POLICY_NAT permit ip host 192.1.1.6 10.1.1.0 255.255.255.0 static (inside,outside) 10.1.2.6 access-list POLICY_NAT where 192.1.1.6 is my inside address, 10.1.1.0 is the remote LAN Network, and 10.1.2.6 is the new NAT'd address. I'm going to try to implement this today. Thanks for the suggestions. --chuck chuckbudreau

10-22-2009, 08:36 PM	#7
chuckbudreau Junior Member Join Date: Jul 2007 Posts: 7	As a follow-up for anyone trying this... It works! The only issue is that since I have a PIX 506E the GUI interface on the PIX does not support Policy NAT. Once you enter a Policy NAT on the PIX it disables the Configuration options in the GUI(PDM) interface. So if you are up on your CLI you're going to have fun trying to do further changes to the configuration on the PIX. Thanks for the input guys! --chuck chuckbudreau