Cisco router L2LVPN address overlap and achieve simultaneous public network configuration

Source: Internet
Author: User

I. Overview:

Lan-to-lan IPSEC VPN If both ends of the intranet address overlap, can not access each other, you need to configure static NAT, in order to achieve mutual access, reference to the following links: http://xuanbo.blog.51cto.com/499334/ 410541, address overlapping problem solved, but lead to not on the public network, after testing, with the help of Loopback port, with Policy routing, mixed use of IP Nat inside/outside and NVI (IP nat enable), can address overlap, and the internal mainframe can also be on the public network, special record down.

Two. Basic ideas:

A. Addressing the problem of overlapping addresses:

---Configure static NAT, both sides of the intranet for each other is another network segment, so that the two sides of the intranet through the host address one-to-one access.

B. Addressing the problem of inability to go to public networks:

---a mixture of two different ways of NAT, and through Policy Routing, static NAT and dynamic pat on the public network as needed

C. Characteristics of utilization:

---NAT before IPSec VPN

---Routers have two ways to configure NAT, a traditional IP Nat inside/outside mode, a NAT Virtual Interface (NVI) way, configure IP NAT enable under the interface, two ways can coexist simultaneously

---can successfully do NAT first need to exist routing, another must be from the IP Nat inside interface, from the IP Nat outside interface, or from an IP Nat enable interface to enter from another IP NAT enable interface out

---for the traditional way of l2l VPN configuration, router intranet and external network port as a pair of IP NAT enabling port, so that the flow of online public network can pat on the public network; PBR to send VPN traffic to Loopbak port, Loopbak port and external network port as a pair of IP NAT Inside/outside, Nat is done before the VPN.

---for Svti mode of L2L VPN configuration, router intranet port and external network as a pair of IP NAT enabling port, so that the flow of online public network can pat on the public network; PBR send VPN traffic to Loopbak port, Loopbak Port and tunnel port as a pair of IP Nat Inside/outside, Nat before VPN.

Three. Test topology:

Four. Basic configuration:

A. Headquarters Server Router:

Interface ethernet0/0

IP address 10.1.1.2 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 10.1.1.1

B. Headquarters Center Router:

Interface ethernet0/0

IP address 10.1.1.1 255.255.255.0

No shut

Interface ETHERNET0/1

IP address 202.100.1.1 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 202.100.1.10

C.internet Router:

Interface ethernet0/0

IP address 202.100.1.10 255.255.255.0

No shut

Interface ETHERNET0/1

IP address 202.100.2.10 255.255.255.0

No shut

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.