Double NAT outbound over IPSec
-
I have multiple sites that were setup before me. They all use the same private address on the LAN side - 192.168.0.0/24
I need to bring up an IPSec VPN connection to a remote CIsco box. No problems here - site one connected and running fine.
The problem starts when I try to bring up site 2 as it has the same "encryption domain" (LAN subnet) as site 1. Is there any way I can NAT the private address before it hits the IPSec tunnel? Something like:
LAN (192.168.0.1) ----> 192.168.0.254 (netgate LAN) ---> OUTBOUND NAT (192.168.155.0.1) ----> IPSec Tunel <----- Cisco Concat.
This would perform 2 translations allowing the Cisco box to see the unique subnet of 192.168.155.0.0/24 (thus, avoiding any conflicts). Is this "do-able" and if so, any pointers?
thanks
-
@fifty_bellies
You can do this by entering the desired translation network in the phase 2 at "NAT/BINAT translation".However, consider that on the remote site you have also to replace the remote network with the NAT network.