f



site to site vpn #2 481678

Hello all,
We are currently terminating vpn connections from client sites in our dmz
area and then letting their traffic pass through our firewall. The circuits
and routers that the vpns terminate on are owned by the clients and are
located at our facility. We are currently using the 10.0.0.0 address space
and so are some of our clients. I can forsee a time when we might have a
problem with this if a client has a host at 10.0.0.1 and if we have a host
at 10.0.0.1 and we try to connect to the client's host our router will think
the host is on the local subnet and not route the packet to the client host.
This problem could also arise if two of our clients are using the same IP
address the router won't know where to forward the packet and could cause a
loop. is there any other way around this than getting some oublic address
space and doing statics and conduits through a pix?
Any ideas or suggestions ?!?
Thanks in advance


0
Bruce
7/11/2003 3:10:03 PM
comp.dcom.sys.cisco 25313 articles. 0 followers. Post Follow

3 Replies
744 Views

Similar Articles

[PageSpeed] 16

Look into "dual NAT," where you assign aliases at each end of the tunnel for
specific address ranges.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9e6.html#1025970

Michael


"Bruce Fournier" <bfournier@no-spam.com> wrote in message
news:vgtkoosp7nhbee@corp.supernews.com...
> Hello all,
> We are currently terminating vpn connections from client sites in our dmz
> area and then letting their traffic pass through our firewall. The
circuits
> and routers that the vpns terminate on are owned by the clients and are
> located at our facility. We are currently using the 10.0.0.0 address space
> and so are some of our clients. I can forsee a time when we might have a
> problem with this if a client has a host at 10.0.0.1 and if we have a host
> at 10.0.0.1 and we try to connect to the client's host our router will
think
> the host is on the local subnet and not route the packet to the client
host.
> This problem could also arise if two of our clients are using the same IP
> address the router won't know where to forward the packet and could cause
a
> loop. is there any other way around this than getting some oublic address
> space and doing statics and conduits through a pix?
> Any ideas or suggestions ?!?
> Thanks in advance
>
>


0
Michael
7/11/2003 7:48:22 PM
On Fri, 11 Jul 2003 19:48:22 +0000, Michael T. Hall wrote:

> Look into "dual NAT," where you assign aliases at each end of the tunnel
> for specific address ranges.
> 
> http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9e6.html#1025970
> 
> Michael
> 
> 
> "Bruce Fournier" <bfournier@no-spam.com> wrote in message
> news:vgtkoosp7nhbee@corp.supernews.com...
>> Hello all,
>> We are currently terminating vpn connections from client sites in our
>> dmz area and then letting their traffic pass through our firewall. The
> circuits
>> and routers that the vpns terminate on are owned by the clients and are
>> located at our facility. We are currently using the 10.0.0.0 address
>> space and so are some of our clients. I can forsee a time when we might
>> have a problem with this if a client has a host at 10.0.0.1 and if we
>> have a host at 10.0.0.1 and we try to connect to the client's host our
>> router will
> think
>> the host is on the local subnet and not route the packet to the client
> host.
>> This problem could also arise if two of our clients are using the same
>> IP address the router won't know where to forward the packet and could
>> cause
> a
>> loop. is there any other way around this than getting some oublic
>> address space and doing statics and conduits through a pix? Any ideas or
>> suggestions ?!?
>> Thanks in advance
>>
>>
>>

CIPE can do this fine.

-a
0
dev
7/13/2003 2:25:26 PM
Thank you for your replay, that is one that I hadn't thought of.

"Michael T. Hall" <michaelthall@comcast.net> wrote in message
news:awEPa.36913$N7.3778@sccrnsc03...
> Look into "dual NAT," where you assign aliases at each end of the tunnel
for
> specific address ranges.
>
>
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00800ec9e6.html#1025970
>
> Michael
>
>
> "Bruce Fournier" <bfournier@no-spam.com> wrote in message
> news:vgtkoosp7nhbee@corp.supernews.com...
> > Hello all,
> > We are currently terminating vpn connections from client sites in our
dmz
> > area and then letting their traffic pass through our firewall. The
> circuits
> > and routers that the vpns terminate on are owned by the clients and are
> > located at our facility. We are currently using the 10.0.0.0 address
space
> > and so are some of our clients. I can forsee a time when we might have a
> > problem with this if a client has a host at 10.0.0.1 and if we have a
host
> > at 10.0.0.1 and we try to connect to the client's host our router will
> think
> > the host is on the local subnet and not route the packet to the client
> host.
> > This problem could also arise if two of our clients are using the same
IP
> > address the router won't know where to forward the packet and could
cause
> a
> > loop. is there any other way around this than getting some oublic
address
> > space and doing statics and conduits through a pix?
> > Any ideas or suggestions ?!?
> > Thanks in advance
> >
> >
>
>


0
Bruce
7/14/2003 4:24:48 PM
Reply:

Similar Artilces:

site to site VPN CISCO PIX #2
I use a VPN site to site, PIX 515 to PIX 501. The access is 2 ways. Could I configure a priority through tunnel? I want to permit the access only PIX 515 to PIX 501 and deny for PIX 501 to 515. I used crypto map outside_map client configuration address initiate --for PIX 515 crypto map outside_map client configuration address respond --for PIX 501 But I have access in two ways !!! Could I use a command crypto ? Thank you ! silviumed In article <1146524343.471393.228570@v46g2000cwv.googlegroups.com>, <silviumed@gmail.com> wrote: >I use a VPN site to site, PIX 515 to PIX 50...

VPN Site To Site between a Cisco 831 and a bintec X1200 #2
Has anyone runs a Site To Site VPN tunnel between a cisco router and a bintec router ? ...

site-2-site VPN
Hi everybody, I was asking about the S2S VPN lately, but have a bit different question now. What are the industry standards / best practices to securely connect two company branches? I was thinking of a VPN connection, but it does not allow one to connect two identical subnets e.g. 10.11.12.0/24 with 10.11.12.0/24. Is there a way to connect two offices via VPN and reduce or eliminate the possibility of subnet overlap? Thanks, AL ALeu schrieb: > I was asking about the S2S VPN lately, but have a bit different question > now. What are the industry standards / best practices to sec...

site-to-site vpn #2
show a sample configuration, there are two routers with two ISPs they set up a choice of providers in the fall of another, you need to connect 2 routers tunnel, in what way will be a choice on what sort of tunnel back to work, please give an example of working configuration. R1------------- isp1--------------R2 -------------isp2 -------------- "Slava" <1vasya1@gmail.com> wrote in message news:96d9a0ec-12fe-4495-ae8f-3847ed01d3d4@n6g2000vbg.googlegroups.com... > > show a sample configuration, there are two routers with two ISPs > they se...

RE: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) #2
-----Original Message----- From: Dave Froble [mailto:davef@tsoft-inc.com]=20 Sent: Thursday, August 17, 2006 12:23 AM To: Info-VAX@Mvb.Saic.Com Subject: Re: Seeking Data Archiving (BACKUP) Suggestions (was: Re: VAX/VMS site) site)site) site) site)site)site) site)site) Stanley F. Quayle wrote: > On 16 Aug 2006 at 14:42, Barry.Treahy@EmersonNetworkPower.com wrote: >> You might find the costs to migrate everything from the 4000/100 models >> to replacement CHARON 4000/108 emulated systems cost effect >=20 > Another CHARON-VAX possibility [Shameless Plug Alert (tm)] is to=20 ...

Site to site VPn tunnel and VPN tunnel #2
Whats is the difference? > Whats is the difference? the case of "N"? ...

Allow Cisco vpn client pool down a site to site VPN
Hi there, I was wondering if the following is possible? I am terminating a vpn client ( pool 10.10.10.0 /24 ) onto router A and allowing access to 192.168.100.0 /24 , this is router A's local lan. Router A also has a site to site VPN to router B. This is from net 192.168.100.0 /24 to 192.168.200.0 /24 This is as follows..... Remote Client 10.10.10.0 /24 | | 192.168.100.0 /24 | | ...

Vpn site to site + vpn cisco client access list problem.
Hi I have problem to get vpn site to site tunnel and the vpn client tunnel to work at the same time. How can I join access list 80 and 100 so i can add them to nat "(inside) 0 access-list 80" I got a pix 501 and 2620 and on the pix 501 It's accessible thugh Cisco VPN client. The config on the pix 501: : Written by admin at 15:32:22.817 CEDT Mon Aug 7 2006 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password g4JAhKwvQDnczMDZ encrypted passwd g4JAhKwvQDnczMDZ encrypted ...

Cisco Site to Site VPN. Is it possible to join domain over VPN connection?
Hi guys, I am interested to know if you have two cisco routers, site to site vpn, if its possible to join a pc to the domain? I am able to ping and do a nslookup on the remote site, however when joining to a domain , it fails. El CiD wrote: > Hi guys, > > > I am interested to know if you have two cisco routers, site to site > vpn, if its possible to join a pc to the domain? > > I am able to ping and do a nslookup on the remote site, however when > joining to a domain , it fails. Yes. Your DNS and WINS settings given to the client on the ...

Cisco 1700 Site-Site VPN
Hello, I'm trying to set up a Site to Site VPN with two Cisco 1700 Routers. But I didn't get it to fly. When the tunnel ist setup the routing doesn't work or other things. Here is what I want to do: 192.168.4.0/24 -- RouterA --- INTERNET --- RouterB -- 192.168.6.0/24 Router A and Router B have a static IP. Lets Say IPA and IPB. Here is my config of RouterB. RouterA locks mostly the same except it does Dialup so the interface on the outside is Dialer0. I didn't find the failer. Can someone plz help me out? Router config from Router B ============================ ! version 1...

site to site VPN CISCO PIX
Hello all, I use a VPN site to site, PIX 515 to PIX 501. The access is 2 ways. Could I configure a priority through tunnel? I want to permit the access only from PIX 515 to PIX 501 and deny from PIX 501 to 515. I used crypto map outside_map client configuration address initiate --for PIX 515 crypto map outside_map client configuration address respond --for PIX 501 But I have access in two ways !!! Could I use a command crypto ? Thank you ! silviumed In article <1146524836.593604.149240@g10g2000cwb.googlegroups.com>, <silviumed@gmail.com> wrote: >I use a VPN site to site,...

site 2 site vpn problems
Hello all, I'm having a problem with a site-to-site vpn tunnel between a cisco 871 and some d-link routers at branch locations. Once I installed the 871 I had the s2s tunnels up with what appeared to be no problem. On the 871 side I could connect to the remote branch equipment, however, from the remote branch side they could not connect back to the servers at corp, but they could ping anything. In my experience this is normally an MTU problem. Sadly when I went to configure the interface (FastEthernet4) with "ip mtu 1450", I got an error stating that the interface did not h...

Site to Site VPN #2 86105
Hello i need some help about configuration CISCO 1812. We have established VPN between main office A and branch office B. And now all the traffic is secured. But I need on side A to establish that clients from B can get only to one server and not all LAN. Is this possible with Cisco 1812. Thanks B I suppose you must be using some access-list on VPN configuration and you need to only allow te ip/server ip you want to on access-list else drop. On Apr 1, 3:19 pm, boris.ko...@gmail.com wrote: > Hello i need some help about configuration CISCO 1812. > We have established VPN betwe...

site to site VPN CISCO PIX
Hi, I use a VPN site to site, PIX 515 to PIX 501. The access is 2 ways. Could I configure a priority through tunnel? I want to permit the access only PIX 515 to PIX 501 and deny for PIX 501 to 515. It is possible ? Thanks. Yes. It is possible to do this with Cisco PIX. Normally when you configure site to site vpns, you also have to configure access-list. For the one you dont want traffic to go through you can put a deny rule blocking the traffic that you dont want to traverse. Alternatively you can also not include the unwanted traffic in the allow access-list. There is a easy cheatsheet ...

Web resources about - site to site vpn #2 481678 - comp.dcom.sys.cisco

Amazon Prime memberships grew by over 50 percent in 2015
Amazon just announced its financial results for Q4 of 2015, and one of the big trends the company highlighted was the continuing strength of ...

Microsoft quarterly profit slips but tops expectations
Microsoft shares rallied Thursday after the tech colossus reported quarterly profit was down but better than Wall Street had expected. Microsoft ...

Jezebel Wins DiCaprio-Pope Headline Contest
There are plenty of generic “Meets” and “Greets” headlines today with regards to Leonardo DiCaprio ’s private audience at The Vatican with Pope ...

Q&A: What's going on with the Oregon armed standoff
BURNS, Ore. (AP) — Leaders of the armed group that took over a national wildlife refuge in Oregon to oppose federal land policy were arrested ...

How ‘Star Wars” Visual Effects Team Reawakened the Force
“This will begin to make things right,” goes the first line of “Star Wars: The Force Awakens.” It’s a sly double entendre, as it promises a return ...

30 years later: What the Challenger tragedy can teach today's private space explorers
Video: Chris Grasinger Thirty years ago today, the Space Shuttle Challenger exploded shortly after liftoff on a clear, cold morning in Florida ...

AP News Guide: Latest Developments in Flint Water Crisis
The Michigan Legislature has approved another $28 million to address Flint's water emergency, which awaits the governor's signature.

Amber Rose Pens Op-Ed Amid Kanye West's Tweets Calling Her a Stripper
Amber Rose penned an op-ed for Time magazine amid the insults thrown her way by Kanye West . In his series of tweets, the 38-year-old entertainer ...

Dad Faces Homicide Charge in Death of Girl Shot by Constable
The father of a 12-year-old Pennsylvania girl accidentally shot by a constable serving eviction papers is facing homicide charges in her death ...

Curvy Barbie? Famously skinny doll gets three new body types
Barbie breaks with decades of tiny-waisted tradition as toy company Mattel introduces three new shapes for the iconic and sometimes divisive ...

Resources last updated: 1/28/2016 10:17:13 PM