[prev in list] [next in list] [prev in thread] [next in thread]
List: vpn
Subject: [VPN] Re: LAN-to-LAN with Overlapping networks and PAT
From: Ryan <rage290 () gmail ! com>
Date: 2006-05-28 10:02:13
Message-ID: loom.20060528T110411-361 () post ! gmane ! org
[Download RAW message or body]
Siddhartha Jain <losttoy2000 <at> yahoo.co.uk> writes:
>
> Hello,
>
> I am trying to get a LAN-to-LAN IPSec VPN to work.
>
> Site A is 10.250.0.0/16
> Site B is 10.0.0.0./8
>
> On Site A, the inside network accesses the internet by
> being PAT-ted to a pool of four global IP addresses -
> 64.aa.bb.cc/29
>
> Site B has NAT-ted the hosts to be connected to over
> the VPN with 192.168.40.0/24
>
> Now my question is that how do I configure Site A
> router wrt to NAT.
>
> Will it work if I leave the PAT on Site A as it is and
> define my interesting traffic as:
> access-list 190 permit ip 64.aa.bb.cc 0.0.0.8 host
> 192.168.40.1
>
> The PAT on site A is defined as:
> ip nat pool tcsux 64.aa.bb.c1 64.aa.bb.c4
> prefix-length 29
> ip nat inside source list 163 pool tcsux overload
>
> On Site B, the interesting traffic would then be
> between 192.168.40.0/24 and 64.aa.bb.cc/29
>
> Will this work? Ofcourse, I can punch in the config
> and see if it works but unfortunately Site B isn't
> under my command so I need to suggest the config to
> the Site B admin.
>
> Thanks,
>
> Siddhartha Jain (CISSP)
>
> My Gear: Canon Digital 300D with Canon 18-55mm f/3.5-5.6
> : Minolta Maxxum 5 with Tamron 28-200mm f/3.8-5.6 Super LD IF
> : Pentax M42 mount Super-Takumar 50mm f/1.4
> : Jupiter M42 mount 200mm 21m f4
> : Mahindra Bolero GLX
>
> The Bombay Amateur Photographers Club
> http://groups.yahoo.com/group/tbapc/
>
> Mahindra & Mahindra Jeepers
> http://autos.groups.yahoo.com/group/mmjeeps/
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
Hi, with a site to site tunnel, you need to avoid NAT when communicating with
the remote peer and remote networks. Also, you should setup rules to allow
traffic between the internal nets locally and remote....not external nets. So,
you would have an ACL allowing all traffic to go bidirectional from
10.250.0.0/16 to 10.0.0.0/8,192.168.40.0/24; then just make sure you have
static routes setup for the remote networks.
The PAT is fine as long as it does not apply to the remote peer gateway or
remote networks. All traffic except the needed tunnel traffic should hide
behind the PAT....so basically all networks except the 10.250.0.0/16 network
should hide behind the PAT on Site A.
Configuring Site A wrt the NAT:
If you don't have control over the NAT (like with an ISP), you can turn
on "Enable NAT-T transversal" on Site A. With this enabled, you will
have innacurate monitoring of the Site B interface that's NAT'd. It will
report the tunnel is down alot, when it's still up. But, the tunnel will work
fine.
I don't believe that leaving the PAT on Site A will work. For one thing, Site
A is not going to be able to talk to the 192.168.40.0/24 network until the
tunnel is built. And, the ACLs/policies are validated first...before Phase 1
IKE even starts. So, you need to have Site B's public IP...or use the first
hop (outbound)for Site B. Make sure Site B Admin is allowing the tunnel
traffic to pass through the router/gateway that leads to the 192.168.40.0
network. UDP 500, UDP 4500, TCP 500, TCP 10000, UDP 10000, IP51, IP47
Hope this helps.
_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic