VPN with overlapping addresses again

Discussion in 'Cisco' started by Brian P., Jan 16, 2005.

  1. Brian P.

    Brian P. Guest

    Hi again

    I don't think I explained my problem correctly last time I posted in this
    newsgroup.
    So her it is with more details.

    An ISP need to make VPN tunnels to four Costumers, so they can get data
    from a common server placed at the ISP.

    Costumer A, B & C is working well, but the new Costumer D are using same
    private Network as the ISP, an will not accept to change their Network.
    Neither they will accept to put some NAT in their Router.

    They already NAT their private Network range to an official Network range.

    ISP are using a Cisco 1841 Router for the project, but are ready to change
    to a PIX firewall or a VPN 3005 Concentrator if that's what's needed.

    Could any kind person please help me with this scenario.

    I have published the scenario in graphics here:
    http://www.z28.dk/vpn.htm

    The configuration I'm using for now can be found at:
    http://www.z28.dk/conf.htm


    Best regards and thanks


    Brian P.
    Brian P., Jan 16, 2005
    #1
    1. Advertising

  2. In article <Xns95E06A94BE845nospamthankscom@63.223.5.251>,
    Brian P. <> wrote:
    :I don't think I explained my problem correctly last time I posted in this
    :newsgroup.

    :Costumer A, B & C is working well, but the new Costumer D are using same
    :private Network as the ISP, an will not accept to change their Network.
    :Neither they will accept to put some NAT in their Router.

    :I have published the scenario in graphics here:
    :http://www.z28.dk/vpn.htm

    I have looked at your diagrams and re-read your original posting,
    and my answer of the time still stands:

    If you can't get the cooperation of both sides in doing the nat
    then you can do it all on one end by using both
    ip nat inside source -and- ip nat inside destination
    on just one of the two ends.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
    Walter Roberson, Jan 16, 2005
    #2
    1. Advertising

  3. Brian P.

    Brian P. Guest

    > -cnrc.gc.ca (Walter Roberson) wrote in
    > news:csde0c$mb3$:
    >
    > If you can't get the cooperation of both sides in doing the nat
    > then you can do it all on one end by using both
    > ip nat inside source -and- ip nat inside destination
    > on just one of the two ends.



    I already have tried that, but it seems that I make some errors with the
    access-lists,
    I can make the NAT work with other Network range through a NAT pool,
    but then it NAT's all the other VPN tunnels also.

    So either I can make Costumer 4 to work and then Costumer 1-3 are down
    or I can make Costumer 1-3 work and the Costumer 4 is down.


    BR

    Brian P.
    Brian P., Jan 16, 2005
    #3
  4. Brian P.

    PES Guest

    Brian P. wrote:
    > Hi again
    >
    > I don't think I explained my problem correctly last time I posted in this
    > newsgroup.
    > So her it is with more details.
    >
    > An ISP need to make VPN tunnels to four Costumers, so they can get data
    > from a common server placed at the ISP.
    >
    > Costumer A, B & C is working well, but the new Costumer D are using same
    > private Network as the ISP, an will not accept to change their Network.
    > Neither they will accept to put some NAT in their Router.
    >
    > They already NAT their private Network range to an official Network range.
    >
    > ISP are using a Cisco 1841 Router for the project, but are ready to change
    > to a PIX firewall or a VPN 3005 Concentrator if that's what's needed.
    >
    > Could any kind person please help me with this scenario.
    >
    > I have published the scenario in graphics here:
    > http://www.z28.dk/vpn.htm
    >
    > The configuration I'm using for now can be found at:
    > http://www.z28.dk/conf.htm
    >
    >
    > Best regards and thanks
    >
    >
    > Brian P.
    >


    You have a solution that will not scale well. Imagine how much trouble
    this is going to be if you have 400 customers instead of 4. I would at
    least use or nat to a public range on your side. If the applications
    needed will work with nat overload, they (the customrers) can continue
    to nat (simply not do a nat bypass on the ipsec traffic) on their
    routers and all will be well. The sa's will simply be built between
    public ranges.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
    PES, Jan 16, 2005
    #4
  5. Brian P.

    Brian P. Guest

    > You have a solution that will not scale well. Imagine how much
    > trouble this is going to be if you have 400 customers instead of 4. I
    > would at least use or nat to a public range on your side. If the
    > applications needed will work with nat overload, they (the customrers)
    > can continue to nat (simply not do a nat bypass on the ipsec traffic)
    > on their routers and all will be well. The sa's will simply be built
    > between public ranges.
    >


    I know that, and the ISP is also going to change to public addresses,
    as soon as they can get some.
    But right now it's really a problem for Costumer 4, and they can't
    wait for public IP addresses to get the VPN tunnel running

    Will it help to change to a PIX firewall or a VPN 3005 ?


    BR

    Brian P.
    Brian P., Jan 16, 2005
    #5
  6. In article <Xns95E07AAD5E638nospamthankscom@63.223.5.254>,
    Brian P. <> wrote:
    :> -cnrc.gc.ca (Walter Roberson) wrote in
    :> news:csde0c$mb3$:

    :> If you can't get the cooperation of both sides in doing the nat
    :> then you can do it all on one end by using both
    :> ip nat inside source -and- ip nat inside destination
    :> on just one of the two ends.

    :I already have tried that, but it seems that I make some errors with the
    :access-lists,
    :I can make the NAT work with other Network range through a NAT pool,
    :but then it NAT's all the other VPN tunnels also.

    nat their source IPs into an otherwise unused address range,
    and set up a new nat translation that matches all traffic to that
    destination range. Other clients will not have source IPs matching
    that IP range, so their IPs will not be translated to the new range,
    and hence return traffic from those other clients will not match
    the new ACL and so will not be translated.

    > [asks whether he should get a PIX or VPN concentrator]


    I believe your existing device should be sufficient -- though
    if for some reason you need the translations to be static
    (e.g., so you can identify particular remote hosts when they
    access your internal service), then I believe you would need
    at least 12.3(4)T. [Unfortunately you happened to cut the version
    number information out of the config you put up.]

    On a PIX, the necessary reverse translation has been supported
    since PIX 6.2, but the ability to do selective forward translation
    was added in 6.3.

    Here is the way it would be done on the PIX:


    : special rules for Customer 4, which is using the same IP range
    : as we are, 172.16.1.x. We jig IPs so that our systems see
    : 172.16.50.x instead of 172.16.1.x when the other side talks to us,
    : and their systems see 172.16.51.x instead of our 172.16.1.x
    : when we transmit to them.

    name 172.16.50.0 net_from_cust4
    name 172.16.51.0 net_to_cust4

    : reverse nat: translate inside traffic addressed to 172.16.50.x
    : into the corresponding 172.16.1.x. Note that this command only
    : translates destination IPs, leaving the source IPs alone,
    : and the source IPs will still be in 172.16.1.x until we adjust
    : for that

    static (outside,inside) net_from_cust4 172.16.1.0 netmask 255.255.255.0 dns 0 0

    : so here we make the adjustement to the source IP range, but
    : only when the traffic is going to Customer 4

    access-list customer4_acl permit ip 172.16.1.0 255.255.255.0 net_from_cust4 255.255.255.0

    static (inside,outside) net_to_cust4 access-list customer4_nat dns 0 0

    crypto map ...
    crypto map ... match address customer4_acl



    Note: I do not mean to imply that you need a PIX. I just happen to
    have a fair bit of experience with the PIX and little recent hands-on
    experience with IOS, so I am more comfortable in answering in
    terms of PIX commands.
    --
    Take care in opening this message: My grasp on reality may have shaken
    loose during transmission!
    Walter Roberson, Jan 16, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nate Smith
    Replies:
    2
    Views:
    496
    Hugo Drax
    Oct 21, 2003
  2. Brian P.
    Replies:
    1
    Views:
    7,657
    Walter Roberson
    Jan 12, 2005
  3. Replies:
    0
    Views:
    586
  4. Mike Rahl
    Replies:
    1
    Views:
    1,588
    response3
    Jan 11, 2007
  5. coco31
    Replies:
    2
    Views:
    532
    coco31
    May 1, 2007
Loading...

Share This Page