LAN-to-LAN VPN with Overlapping Network Addresses

LAN-to-LAN VPN with Overlapping Network Addresses

One of the problems that can be encountered when two firms merge, business partnerships form, or a business extends its network to a vendor is the possibility of overlapping (duplicated) private IP addresses. This section looks at how to configure a VPN Concentrator in a LAN-to-LAN IPSec VPN with overlapping network addresses. The VPN 3000 Concentrator version 3.6 software introduced the enhanced NAT feature that can translate the overlapping networks on each side of the IPSec VPN tunnel.

Figure 16-15 shows the example scenario. The addresses within the clouds are the local addresses, while the addresses below the clouds represent the new translated addresses. Because Dynamic and PAT implementations are only usable for outgoing connections, the translations will have to be static to allow each network’s host to send traffic into the other network.

Click To expand
Figure 16-15: Overlapping network address scenario

Use the following steps to configure the VPN 3000 Concentrator for the Main Office:

  1. Use the Configuration | System | Tunneling Protocols | IPSec | LAN-to-LAN | Add screen to configure the LAN-to-LAN session parameters for a LAN-to-LAN VPN. Figure 16-16 show the Local and Remote Network fields. In the Local Network section, enter 192.168.240.0 in the IP Address field and enter 0.0.0.255 in Wildcard Mask field. In the Remote Network section, enter 192.168.250.0 in the IP Address field and enter 0.0.0.255 in Wildcard Mask field. Click on Apply when finished. The Vendor Concentrator would be a mirror image of these entries.

  2. Use the Configuration | Policy Management | Traffic Management | NAT | LAN-to-LAN Rules | Modify screen, as shown in Figure 16-17, to define the static NAT translations for the Main Office LAN. Check the Static option button in the NAT Type section.Make the following entries in the bottom of the Window, and then click Apply.

    Click To expand
    Figure 16-16: Configuring the local and remote networks

    Click To expand
    Figure 16-17: Defining the translations

    ?

    Source Network

    Translated Network

    Remote Network

    IP Address row

    192.168.0.0

    192.168.240.0

    192.168.250.0

    Wildcard Mask

    0.0.0.255

    0.0.0.255

    0.0.0.255

  3. The Vendor Concentrator entries would look like this:

    ?

    Source Network

    Translated Network

    Remote Network

    IP Address row

    192.168.0.0

    192.168.250.0

    192.168.240.0

    Wildcard Mask

    0.0.0.255

    0.0.0.255

    0.0.0.255

  4. Use the Configuration | Policy Management | Traffic Management | NAT | Enable screen, as shown in Figure 16-18, to enable the NAT. Check the LAN-to-LAN Tunnel NAT Rule Enabled check box.Click Apply. The Vendor Concentrator entry would be the same.

    Click To expand
    Figure 16-18: LAN-to-LAN Tunnel NAT Rule enabled




Part III: Virtual Private Networks (VPNs)