Monday, 20 October 2014

Site To Site VPN between Cisco Routers with Duplicate LAN IP

In the real world If there is a requirement to setup a site to site VPN connection between two different companies, there may be a specific scenario where both the companies are using the same LAN subnets. In this case, we cannot define the ACL with interesting traffic as the source and the destination subnets will be the same!

We will use the existing topology to illustrate the situation. As one can see, both R1 and R2 has a lookpback0 interface with IP 1.1.1.1/24 which represents the LAN subnet. We need to setup a site to site VPN between these two routers.


We will skip the usual steps to configure the ISAKMP & IPSEC parameters as we have covered those in previous posts. Our focus will be on how we can define the interesting traffic. 

As both the LAN subnets are 1.1.1.0/24, we will have to perform NAT. Let's say we want R1's LAN subnet (1.1.1.0/24) to appear as 172.16.1.0/24  from R2's prospective. Also we want R1 to treat R2's LAN subnet as 172.16.2.0/24. 



The ACL for the interesting traffic will be as below on R1 and R2.



Now let's configure NAT statement on both the routers



Let's try and ping an IP in R2's subnet 172.16.2.1 from R1's Loopback


The ping works!! Let's check if the tunnel is up or not.


The tunnel is up. We can also see that there is a static NAT entry in R2's routing table for the IP 172.16.2.1 relating to 1.1.1.1


Feel free to comment or suggest.....

No comments:

Post a Comment