If I want to implement dynamic outside NAT but my 2 x outside sites have the same IP ranges is there a workaround.
--------Site 1 ---192.168.1.X Central Site (inside)----PIX---(outside) say 10.1.0.1 /24 --------Site 2 ---192.168.1.X
I have seen examples where outside NAT allows me to translate address to a suitable address range on the inside. But what happens if the 2 x remote sites have the same IP's ranges (NB The above remote IP ranges belong to different companies).
Can't see an expample on Cisco.com but still searching.
Assuming you want to establish a VPN with both sites, You can always do double policy NATing. I got it to work in lab, but didn't go further. There is the problem that each site sees the central inside subnet with different IPs, wich was a problem in my case.
Central Site translation access-list Site1 permit ip [Central Inside real subnet] [Site1 translated subnet] access-list Site2 permit ip [Central Inside real subnet] [Site2 translated subnet] static (inside,outside) [Central translated subnet for site1] access-list Site1 0 0 static (inside,outside) [Central translated subnet for site2] access-list Site2 0 0
Sites translations access-list b-Site1 permit ip [Site1 Real subnet] [Central translated subnet for site1] access-list b-Site2 permit ip [Site2 Real subnet] [Central translated subnet for site2] static (outside,inside) [Site1 translated subnet] access-list b-Site1 0 0 static (outside,inside) [Site2 translated subnet] access-list b-Site2 0 0
Crypto ACLs access-list Map1 permit ip [Central translated subnet for site1] [Site1 Real subnet] access-list Map2 permit ip [Central translated subnet for site2] [Site2 Real subnet]
crypto map xxxxx 10 ipsec-isakmp crypto map xxxxx 10 match address Map1 crypto map xxxxx 10 set peer x.x.x.x crypto map xxxxx 10 set transform-set xxxxxx crypto map xxxxx 11 ipsec-isakmp crypto map xxxxx 11 match address Map2 crypto map xxxxx 11 set peer x.x.x.x crypto map xxxxx 11 set transform-set xxxxxx crypto map xxxxx interface outside
This way when the central calls a site using the Site's translated address, the site will see the packet coming from the central translated addresses for this specific site.
This way you can have crypto maps that are mirror image, without any IP conflicts.
But as you may saw in my other post "VRF aware IPSEC" , i am investigating others ways to resolve those kind of issus.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.