[c-nsp] Overlapping NAT subnets and PPTP
up at 3.am
up at 3.am
Thu May 29 11:50:43 EDT 2008
I have a customer that has a 2811 with a fairly complex NAT VPN
configuration (an existing GRE tunnel, a bunch of static NAT mappings to
it, etc).
We just added a PPTP to it and ran into an overlapping subnet issue
with it. They have over a hundred internal hosts on 192.168.1.0/24 and of
course, many people who PPTP into it are using that same RFC1918 space on
their LAN (it's hard coded into my Verizon router, for example). Since
the incoming PPTP connections need to talk to those hosts, there is
obviously a conflict.
Cisco TAC's position was that they need to renumber to eliminate the
conflict. That may be true, but we came up with an idea that seems like
it should work as an alternative. That is to use something like:
ip nat source static 192.168.1.20 10.3.3.20
or
ip nat outside source static 192.168.1.20 10.3.3.20
to "fool" the incoming PPTP connected hosts. To some extent, it works.
The incoming connections can now ping 10.3.3.20 and get responses (they
could not ping 192.168.1.20). However, any attempt to connect to any TCP
port on that host results in a "connection refused".
Is this just a dead-end for this kludge, or is something else needed? Has
anyone else succeeded with it? The customer just wants to avoid
renumbering if possible (for now), so I just want to make sure that if
this kludge doesn't work, I can explain why, or make it work if possible.
Thanks in Advance!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the cisco-nsp
mailing list