[c-nsp] Overlapping NAT subnets and PPTP

up at 3.am up at 3.am
Thu May 29 11:50:43 EDT 2008


I have a customer that has a 2811 with a fairly complex NAT VPN 
configuration (an existing GRE tunnel, a bunch of static NAT mappings to 
it, etc).

We just added a PPTP to it and ran into an overlapping subnet issue 
with it.  They have over a hundred internal hosts on 192.168.1.0/24 and of 
course, many people who PPTP into it are using that same RFC1918 space on 
their LAN (it's hard coded into my Verizon router, for example).  Since 
the incoming PPTP connections need to talk to those hosts, there is 
obviously a conflict.

Cisco TAC's position was that they need to renumber to eliminate the 
conflict.  That may be true, but we came up with an idea that seems like 
it should work as an alternative.  That is to use something like:

ip nat source static 192.168.1.20 10.3.3.20
or
ip nat outside source static 192.168.1.20 10.3.3.20

to "fool" the incoming PPTP connected hosts.  To some extent, it works. 
The incoming connections can now ping 10.3.3.20 and get responses (they 
could not ping 192.168.1.20).  However, any attempt to connect to any TCP 
port on that host results in a "connection refused".

Is this just a dead-end for this kludge, or is something else needed?  Has 
anyone else succeeded with it?  The customer just wants to avoid 
renumbering if possible (for now), so I just want to make sure that if 
this kludge doesn't work, I can explain why, or make it work if possible.

Thanks in Advance!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================


More information about the cisco-nsp mailing list