Tunnel Interface (Route-Based) VPN with overlapping subnets
MichaelB
Newbie ✭
I'm looking for a KB article on Tunnel Interface (Route-Based) VPN with overlapping subnet(s). I can find it for Site-to-Site IPSEC but not for Tunnel Interface.
Secondly for Tunnel Interface VPN with multiple remote sites subnets overlapping.
Category: Entry Level Firewalls
0
Answers
@MichaelB , for the Tunnel Interface you have more control as you can use ranges in the routes, it would be best to check with the other sites which part of the subnets they actually use, do they truly overlap or are they just using the same subnet? , for example if you have a local 10.0.0.0\8 and the remote site also has a 10.0.0.0\8 but you are only using 10.1.0.1 - 10.3.255.254 on your side but the remote side is using 10.0.1.1 - 10.0.10.254 then you can avoid the overlap by only putting a route for the VPN to say the range 10.0.1.1-10.0.10.254 goes across the tunnel, then obviously do the opposite on the remote device on the other end of the VPN.
You should do twice nat rule / double nat. I don't have acccess firewall now however I cannot share screenshot but I think below example will be clear.
create a nat rule for overlaps ips
example : HQ--->BRANCH
HQ Firewall Nat rule 1.source : overlap ip 192.168.1.0/24
translated : new nated ip: 10.10.10.0/24
destination : destination overlaps nated ip. 10.10.11.0/24
interface Tunell interface.
Branch Firewall Nat rule 1.Source: 10.10.10.0/24
Translated : orginal.
Destination: 10.10.11.0/24
Destination translated: 192.68.1.0/24
-----
Branch Firewall Nat rule 2.Source : 192.168.1.0/24
Source Translated: 10.10.11.0/24
Destination 10.10.10.0/24
Destination Translated : Orginal.
interface : Tunel interface.
HQ Firewall NAT rule 2.Source : 10.10.11.0/24
Source Translated: orginal
Destination 10.10.10.0/24
Destination Translated : 192.168.1.0/24.
interface : Tunel interface.