[c-nsp] Overlapping NAT subnets and PPTP

Andrew Gristina agristina+cisco-nsp at gmail.com
Fri May 30 20:32:12 EDT 2008


One: most people use a real name on the list.

Two: PPTP and PAT don't really mix.  Read up on the PPTP protocol.  If
not just try a whole bunch of PPTP clients behind a PAT.  I don't
really value the PPTP protocol very highly.

Three: IPSec can do double NAT or double PAT (disguise the same
network at both ends)

Four: VPN for B2B implementations are better off if everyone insists
on publics for the interesting traffic networks, then each network
owner can NAT at their "demarc".

These are all things that are probably in the list archive.

I hope you got more replies than this, and in a kinder gentler tone,
but I'm in a hurry and didn't see anyone reply to you.

On Thu, May 29, 2008 at 8:50 AM,  <up at 3.am> wrote:
>
> I have a customer that has a 2811 with a fairly complex NAT VPN
> configuration (an existing GRE tunnel, a bunch of static NAT mappings to it,
> etc).
>
> We just added a PPTP to it and ran into an overlapping subnet issue with it.
>  They have over a hundred internal hosts on 192.168.1.0/24 and of course,
> many people who PPTP into it are using that same RFC1918 space on their LAN
> (it's hard coded into my Verizon router, for example).  Since the incoming
> PPTP connections need to talk to those hosts, there is obviously a conflict.
>
> Cisco TAC's position was that they need to renumber to eliminate the
> conflict.  That may be true, but we came up with an idea that seems like it
> should work as an alternative.  That is to use something like:
>
> ip nat source static 192.168.1.20 10.3.3.20
> or
> ip nat outside source static 192.168.1.20 10.3.3.20
>
> to "fool" the incoming PPTP connected hosts.  To some extent, it works. The
> incoming connections can now ping 10.3.3.20 and get responses (they could
> not ping 192.168.1.20).  However, any attempt to connect to any TCP port on
> that host results in a "connection refused".
>
> Is this just a dead-end for this kludge, or is something else needed?  Has
> anyone else succeeded with it?  The customer just wants to avoid renumbering
> if possible (for now), so I just want to make sure that if this kludge
> doesn't work, I can explain why, or make it work if possible.
>
> Thanks in Advance!
>
> James Smallacombe                     PlantageNet, Inc. CEO and Janitor
> up at 3.am                                                     http://3.am
> =========================================================================
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list