Re: VPN Overlapping issue from Piotr Matusiak on 2009-10-07 (Ccielab archives 10/2009)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Wed, 7 Oct 2009 10:32:28 +0200

Hi,

For example on ASA:
static (inside,outside) 172.16.1.0 10.2.2.0 netmask 255.255.255.0

ACL for crypto should use translated Ip addresses IMO.

This is just a thought, I do not have PIX/ASA in front of me right now
so I can't check this.

btw: my name is Piotr :)

2009/10/7 manoj prajapati <manoj4784_at_gmail.com>:
> Hi Matusiak,
>
> You mean to say static NAT with 10.2.2.0 --- 172.16.1.1(different
> subnet) ??
> where we need to do ?? on cust1,cust2 or cust3 ?
>
> after applying the static nat (inside, outside). so wat will be the ACL
> entry ??
> can you please describe in brief.
>
> Regards,
> Manoj
>
> On Wed, Oct 7, 2009 at 1:25 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
>> Hi,
>>
>> Is there any NAT along in the path?
>> I think you should perform static NAT on PIX or ASA for all hosts in
>> 10.2.2.0 network. Then CheckPoint will see different IP addresses from
>> one direction and there will be no conflict anymore.
>>
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, SEC)
>>
>>
>> 2009/10/7 manoj prajapati <manoj4784_at_gmail.com>:
>> > Dear Techie,
>> >
>> > Having a doubts in Site to site VPN,
>> >
>> > I have 3 customer, cust1--- cust2 ---- cust3,
>> >
>> > the private ip address is ,
>> > Cust1 ---- 10.2.2.0 (PIX)
>> > Cust2 ---- 10.10.10.0 (Checkpoing Nokia)
>> > Cust3 ---- 10.2.2.0 (ASA)
>> >
>> > connectivity is Cust1 ---- Cust2 ---- Cust3
>> > | | |
>> > 10.2.2.0 10.10.10.0 10.2.2.0
>> >
>> > I want to achive a site to site VPN tunnel between Cust1 -- Cust2 & also
>> > Cust2 -- Cust3 . But, here the cust1 and cust3 having a same private ip
>> > address range. So, when establishing a VPN tunnel in Cust2 with cust2 to
>> > cust1 & cust2 to cust 3, there will be a confict between the 10.2.2.0
>> > series range.
>> >
>> > I know that there is an overlapping network. have seen the cisco site as
>> > well
>> >
>> >
>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml
>> >
>> > But this is somewhat different scenario as i understand.
>> >
>> > Can anyone help me to resolve the issue.
>> > Thanx
>> >
>> > Regards,
>> > Manoj
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Blogs and organic groups at http://www.ccie.net

Received on Wed Oct 07 2009 - 10:32:28 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART