Connecting two 192.168.5.0/24 networks with NAT on both sides

coreybrett

Looking for some help with this.

Site A's LAN is 192.168.5.0/24

Site B's LAN is 192.168.5.0/24

How would I configure NAT on the P2s of site A and B so that both sides can communicate ?

The current goal is to make...
Site A's 192.168.5.0/24 appear as 192.168.3.0/24 on site B
Site B's 192.168.5.0/24 appear as 192.168.4.0/24 on site A

tinfoilmatt

@coreybrett you must know that this is a terrible idea rife with potential for endless troubleshooting. readdressing one of the sites would take a literal fraction of the time.

what's the use case that absolutely requires the same subnet at both sites? that's the real issue—not how to make this work (which, admittedly, could be done).

coreybrett

It's a merger situation, with both sites having a ton of existing infrastructure on those existing subnets.
Looking to establish L3 between the sites for AD trust. Only planned communications is between the respective DCs for user sync and MS-365 migration.

I know it's a bad idea, but is it possible ?

mcury

@coreybrett said in Connecting two 192.168.5.0/24 networks with NAT on both sides:

It's a merger situation, with both sites having a ton of existing infrastructure on those existing subnets.
Looking to establish L3 between the sites for AD trust. Only planned communications is between the respective DCs for user sync and MS-365 migration.

I know it's a bad idea, but is it possible ?

Yes, use BINAT, as far as I'm aware, it only works with tunnel mode and not with VTI, but I could be wrong about this.

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

coreybrett

I have used that method before to do NAT on one side, but what about both sides ?

mcury

@coreybrett said in Connecting two 192.168.5.0/24 networks with NAT on both sides:

I have used that method before to do NAT on one side, but what about both sides ?

You do the same thing, but use a different network for the BINAT at both sides.

The phase two will allow both BINAT networks to cross the tunnel.

michmoor

SNAT and DNAT is all you need here. Either site won’t know the real IP but that’s ok obviously you will keep track but that’s all that’s needed here to get around the overlap