One of the problems that can be encountered when two firms merge, business partnerships form, or a business extends its network to a vendor is the possibility of overlapping (duplicated) private IP addresses. This section looks at how to configure a VPN Concentrator in a LAN-to-LAN IPSec VPN with overlapping network addresses. The VPN 3000 Concentrator version 3.6 software introduced the enhanced NAT feature that can translate the overlapping networks on each side of the IPSec VPN tunnel.
Figure 16-15 shows the example scenario. The addresses within the clouds are the local addresses, while the addresses below the clouds represent the new translated addresses. Because Dynamic and PAT implementations are only usable for outgoing connections, the translations will have to be static to allow each network’s host to send traffic into the other network.
Use the following steps to configure the VPN 3000 Concentrator for the Main Office:
Use the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add screen to configure the LAN-to-LAN session parameters for a LAN-to-LAN VPN. Figure 16-16 show the Local and Remote Network fields. In the Local Network section, enter 192.168.240.0 in the IP Address field and enter 0.0.0.255 in Wildcard Mask field. In the Remote Network section, enter 192.168.250.0 in the IP Address field and enter 0.0.0.255 in Wildcard Mask field. Click on Apply when finished. The Vendor Concentrator would be a mirror image of these entries.
Use the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Modify screen, as shown in Figure 16-17, to define the static NAT translations for the Main Office LAN. Check the Static option button in the NAT Type section.Make the following entries in the bottom of the Window, and then click Apply.
Figure 16-16: Configuring the local and remote networks
Figure 16-17: Defining the translations
? |
Source Network |
Translated Network |
Remote Network |
IP Address row |
192.168.0.0 |
192.168.240.0 |
192.168.250.0 |
Wildcard Mask |
0.0.0.255 |
0.0.0.255 |
0.0.0.255 |
The Vendor Concentrator entries would look like this:
? |
Source Network |
Translated Network |
Remote Network |
IP Address row |
192.168.0.0 |
192.168.250.0 |
192.168.240.0 |
Wildcard Mask |
0.0.0.255 |
0.0.0.255 |
0.0.0.255 |
Use the Configuration | Policy Management | Traffic Management | NAT | Enable screen, as shown in Figure 16-18, to enable the NAT. Check the LAN-to-LAN Tunnel NAT Rule Enabled check box.Click Apply. The Vendor Concentrator entry would be the same.
Figure 16-18: LAN-to-LAN Tunnel NAT Rule enabled