Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connecting two 192.168.5.0/24 networks with NAT on both sides

    Scheduled Pinned Locked Moved
    IPsec
    4
    7
    382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      Looking for some help with this.

      Site A's LAN is 192.168.5.0/24

      Site B's LAN is 192.168.5.0/24

      How would I configure NAT on the P2s of site A and B so that both sides can communicate ?

      The current goal is to make...
      Site A's 192.168.5.0/24 appear as 192.168.3.0/24 on site B
      Site B's 192.168.5.0/24 appear as 192.168.4.0/24 on site A

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT
        tinfoilmatt @coreybrett
        last edited by

        @coreybrett you must know that this is a terrible idea rife with potential for endless troubleshooting. readdressing one of the sites would take a literal fraction of the time.

        what's the use case that absolutely requires the same subnet at both sites? that's the real issue—not how to make this work (which, admittedly, could be done).

        C 1 Reply Last reply Reply Quote 0
        • C
          coreybrett @tinfoilmatt
          last edited by

          It's a merger situation, with both sites having a ton of existing infrastructure on those existing subnets.
          Looking to establish L3 between the sites for AD trust. Only planned communications is between the respective DCs for user sync and MS-365 migration.

          I know it's a bad idea, but is it possible ?

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @coreybrett
            last edited by

            @coreybrett said in Connecting two 192.168.5.0/24 networks with NAT on both sides:

            It's a merger situation, with both sites having a ton of existing infrastructure on those existing subnets.
            Looking to establish L3 between the sites for AD trust. Only planned communications is between the respective DCs for user sync and MS-365 migration.

            I know it's a bad idea, but is it possible ?

            Yes, use BINAT, as far as I'm aware, it only works with tunnel mode and not with VTI, but I could be wrong about this.

            https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

            C 1 Reply Last reply Reply Quote 0
            • C
              coreybrett @mcury
              last edited by

              I have used that method before to do NAT on one side, but what about both sides ?

              M 1 Reply Last reply Reply Quote 0
              • M
                mcury @coreybrett
                last edited by

                @coreybrett said in Connecting two 192.168.5.0/24 networks with NAT on both sides:

                I have used that method before to do NAT on one side, but what about both sides ?

                You do the same thing, but use a different network for the BINAT at both sides.

                The phase two will allow both BINAT networks to cross the tunnel.

                1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance
                  last edited by michmoor

                  SNAT and DNAT is all you need here. Either site won’t know the real IP but that’s ok obviously you will keep track but that’s all that’s needed here to get around the overlap

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post