IOS: IPSec between overlapping subnets

Discussion in 'Cisco' started by Oleg Tipisov, Aug 10, 2004.

  1. Oleg Tipisov

    Oleg Tipisov Guest

    Hi!

    I'm trying to configure IPSec between two sites with overlapping
    subnets 192.168.1.0/24. There is a requirement to configure both
    inside and outside static NAT on the same IOS box. Both local and
    remote hosts in overlapping networks should be able to initiate
    connections. This basically means that static NAT needs to be
    configured. Also, PAT should be used for Internet access.

    ip nat inside source list 101 interface FastEthernet0/1 overload
    ip nat inside source static 192.168.1.1 192.168.3.1 route-map nat-map
    ip nat inside source static 192.168.1.2 192.168.3.2 route-map nat-map
    ip nat inside source static 192.168.1.3 192.168.3.3 route-map nat-map
    ip nat inside source static 192.168.1.4 192.168.3.4 route-map nat-map
    ....
    ip nat outside source static network 192.168.1.0 192.168.2.0 /24
    extendable
    !
    access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 101 permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map nat-map permit 10
    match ip address 100

    This config works. I can ping 192.168.2.x from local LAN hosts and
    192.168.3.x from remote LAN hosts. The problem is that it is not
    feasible to configure 1-1 static NAT statements for all hosts in the
    local LAN - "192.168.1.i 192.168.3.i route-map nat-map" - there are
    too many of them.

    Does anybody know a solution for this problem? Note, that static
    (source+destination) NAT is needed for IPSec and PAT for Internet
    access.

    Thx.
     
    Oleg Tipisov, Aug 10, 2004
    #1
    1. Advertisements

  2. Oleg Tipisov

    Jim Guest

    Unless you need an exact match from each side to have the same last octet,
    use a pool.
     
    Jim, Aug 10, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.