site-2-site VPN

Discussion in 'Cisco' started by ALeu, Apr 9, 2009.

  1. ALeu

    ALeu Guest

    Hi everybody,

    I was asking about the S2S VPN lately, but have a bit different question
    now. What are the industry standards / best practices to securely
    connect two company branches? I was thinking of a VPN connection, but it
    does not allow one to connect two identical subnets e.g. 10.11.12.0/24
    with 10.11.12.0/24. Is there a way to connect two offices via VPN and
    reduce or eliminate the possibility of subnet overlap?

    Thanks,
    AL
     
    ALeu, Apr 9, 2009
    #1
    1. Advertising

  2. ALeu

    Uli Link Guest

    ALeu schrieb:

    > I was asking about the S2S VPN lately, but have a bit different question
    > now. What are the industry standards / best practices to securely
    > connect two company branches? I was thinking of a VPN connection, but it
    > does not allow one to connect two identical subnets e.g. 10.11.12.0/24
    > with 10.11.12.0/24. Is there a way to connect two offices via VPN and
    > reduce or eliminate the possibility of subnet overlap?


    If you have the same subnet remote and local, it's hard to find a simple
    logic for any router to decide where a packet should go to, so you must
    NAT both subnets to different subnets outside, with all possible side
    effects on protocols that don't like NAT.
    No matter if tunneled through a VPN, a leased line or dialup connection.

    Only pure IPsec with the old crypto map syntax is kindof restricted.

    If you setup GRE tunnel interfaces with IPsec protection, you have
    routable interfaces which can also be ip nat inside or ip nat outside.

    --
    ULi
     
    Uli Link, Apr 10, 2009
    #2
    1. Advertising

  3. ALeu

    Stephen Guest

    On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <> wrote:

    >Hi everybody,
    >
    >I was asking about the S2S VPN lately, but have a bit different question
    >now. What are the industry standards / best practices to securely
    >connect two company branches? I was thinking of a VPN connection, but it
    >does not allow one to connect two identical subnets e.g. 10.11.12.0/24
    >with 10.11.12.0/24. Is there a way to connect two offices via VPN and
    >reduce or eliminate the possibility of subnet overlap?


    you can bridge between the 2 sites, and maybe you can get that to work
    over a VPN.

    However - the real fix is to readdress 1 site.
    Badly set up addressing is going to cause you all sorts of problems
    down the line, so fix it now rather than try to patch up the side
    effects.

    >
    >Thanks,
    >AL

    --
    Regards

    - replace xyz with ntl
     
    Stephen, Apr 10, 2009
    #3
  4. ALeu

    tweety Guest

    On Apr 10, 11:41 am, Stephen <> wrote:
    > On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <> wrote:
    > >Hi everybody,

    >
    > >I was asking about the S2S VPN lately, but have a bit different question
    > >now. What are the industry standards / best practices to securely
    > >connect two company branches? I was thinking of a VPN connection, but it
    > >does not allow one to connect two identical subnets e.g. 10.11.12.0/24
    > >with 10.11.12.0/24. Is there a way to connect two offices via VPN and
    > >reduce or eliminate the possibility of subnet overlap?

    >
    > you can bridge between the 2 sites, and maybe you can get that to work
    > over a VPN.
    >
    > However - the real fix is to readdress 1 site.
    > Badly set up addressing is going to cause you all sorts of problems
    > down the line, so fix it now rather than try to patch up the side
    > effects.
    >
    >
    >
    > >Thanks,
    > >AL

    >
    > --
    > Regards
    >
    > - replace xyz with ntl


    Site A address 10.10.10.0 /24 Server A 10.10.10.10 Site B 1.10.10.0 /
    24

    Could use dns, when a host at site B sends traffic to Server A at site
    A, the name server directs traffic to 172.21.1.10 via the dns, this
    then crosses the ipsec vpn on arrival do a network nat statement
    translating the 172.21.1.0 /24 range to 10.10.10.0 /24 this will then
    be able to hit the server at 10.10.10.10
     
    tweety, Apr 18, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,954
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,956
    luisjimher
    Jun 3, 2011
  3. Nathan Simpson

    Incoming VPN and site to site VPN problems

    Nathan Simpson, Aug 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    515
  4. JJ DD
    Replies:
    3
    Views:
    695
    Anthony Mahoney
    Aug 23, 2004
  5. pasatealinux
    Replies:
    1
    Views:
    2,083
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page