f



site-2-site VPN

Hi everybody,

I was asking about the S2S VPN lately, but have a bit different question 
now. What are the industry standards / best practices to securely 
connect two company branches? I was thinking of a VPN connection, but it 
does not allow one to connect two identical subnets e.g. 10.11.12.0/24 
with 10.11.12.0/24. Is there a way to connect two offices via VPN and 
reduce or eliminate the possibility of subnet overlap?

Thanks,
AL
0
ALeu
4/9/2009 10:49:41 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

3 Replies
694 Views

Similar Articles

[PageSpeed] 41

ALeu schrieb:

> I was asking about the S2S VPN lately, but have a bit different question 
> now. What are the industry standards / best practices to securely 
> connect two company branches? I was thinking of a VPN connection, but it 
> does not allow one to connect two identical subnets e.g. 10.11.12.0/24 
> with 10.11.12.0/24. Is there a way to connect two offices via VPN and 
> reduce or eliminate the possibility of subnet overlap?

If you have the same subnet remote and local, it's hard to find a simple 
logic for any router to decide where a packet should go to, so you must 
NAT both subnets to different subnets outside, with all possible side 
effects on protocols that don't like NAT.
No matter if tunneled through a VPN, a leased line or dialup connection.

Only pure IPsec with the old crypto map syntax is kindof restricted.

If you setup GRE tunnel interfaces with IPsec protection, you have 
routable interfaces which can also be ip nat inside or ip nat outside.

-- 
ULi
0
Uli
4/10/2009 8:08:11 AM
On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <aleu@op.pl> wrote:

>Hi everybody,
>
>I was asking about the S2S VPN lately, but have a bit different question 
>now. What are the industry standards / best practices to securely 
>connect two company branches? I was thinking of a VPN connection, but it 
>does not allow one to connect two identical subnets e.g. 10.11.12.0/24 
>with 10.11.12.0/24. Is there a way to connect two offices via VPN and 
>reduce or eliminate the possibility of subnet overlap?

you can bridge between the 2 sites, and maybe you can get that to work
over a VPN.

However - the real fix is to readdress 1 site. 
Badly set up addressing is going to cause you all sorts of problems
down the line, so fix it now rather than try to patch up the side
effects.

>
>Thanks,
>AL
-- 
Regards

stephen_hope@xyzworld.com - replace xyz with ntl
0
Stephen
4/10/2009 10:41:47 AM
On Apr 10, 11:41=A0am, Stephen <stephen_h...@xyzworld.com> wrote:
> On Thu, 09 Apr 2009 18:49:41 -0400, ALeu <a...@op.pl> wrote:
> >Hi everybody,
>
> >I was asking about the S2S VPN lately, but have a bit different question
> >now. What are the industry standards / best practices to securely
> >connect two company branches? I was thinking of a VPN connection, but it
> >does not allow one to connect two identical subnets e.g. 10.11.12.0/24
> >with 10.11.12.0/24. Is there a way to connect two offices via VPN and
> >reduce or eliminate the possibility of subnet overlap?
>
> you can bridge between the 2 sites, and maybe you can get that to work
> over a VPN.
>
> However - the real fix is to readdress 1 site.
> Badly set up addressing is going to cause you all sorts of problems
> down the line, so fix it now rather than try to patch up the side
> effects.
>
>
>
> >Thanks,
> >AL
>
> --
> Regards
>
> stephen_h...@xyzworld.com - replace xyz with ntl

Site A address 10.10.10.0 /24  Server A 10.10.10.10 Site B 1.10.10.0 /
24

Could use dns, when a host at site B sends traffic to Server A at site
A, the name server directs traffic to 172.21.1.10 via the dns, this
then crosses the ipsec vpn on arrival do a network nat statement
translating the 172.21.1.0 /24 range to 10.10.10.0 /24 this will then
be able to hit the server at 10.10.10.10
0
tweety
4/18/2009 12:33:40 PM
Reply: