This may seem a rediculous question, but I want to exhaust all possible solutions so that I get this setup and don't have to change it.
I have a PIX 525, one of the interfaces on this PIX I have dedicated to a VPN network. I have client initiated VPN tunnels to a device that sits inside of this network (not the PIX). These VPN clients establish a site to site link between our two networks.
I'm am planning on revising this structure a bit for a few reasons, but one of these is that I am concerned about the likelihood of running into a customer with an overlapping address scheme.
The primary idea was for me to use a smaller subnet to NAT the specific addresses that clients need to talk to over the VPN so that the likelihood of them overlapping is dramatically reduced. (They only need to talk to a dozen or so servers out of all of the servers in our datacenter.) I am also wondering if it is possible to have a second subnet that can be used to NAT addresses on the same interface in the event that my primary address space does happen to overlap.
An example of this would be VPN client with address of 192.168.100.35 talks to IP 172.31.128.16 (whose real IP is 10.100.11.16); however, VPN client with an address of 172.31.128.2 talks to either 10.250.250.16 (and have its real IP be 10.100.11.16) or directly to 10.100.11.16 b/c its address overlaps with the other address space.
I know that is a long post, but hopefully I've been clear enough for someone to reply with some helpful advise. Thanks!
I have a PIX 525, one of the interfaces on this PIX I have dedicated to a VPN network. I have client initiated VPN tunnels to a device that sits inside of this network (not the PIX). These VPN clients establish a site to site link between our two networks.
I'm am planning on revising this structure a bit for a few reasons, but one of these is that I am concerned about the likelihood of running into a customer with an overlapping address scheme.
The primary idea was for me to use a smaller subnet to NAT the specific addresses that clients need to talk to over the VPN so that the likelihood of them overlapping is dramatically reduced. (They only need to talk to a dozen or so servers out of all of the servers in our datacenter.) I am also wondering if it is possible to have a second subnet that can be used to NAT addresses on the same interface in the event that my primary address space does happen to overlap.
An example of this would be VPN client with address of 192.168.100.35 talks to IP 172.31.128.16 (whose real IP is 10.100.11.16); however, VPN client with an address of 172.31.128.2 talks to either 10.250.250.16 (and have its real IP be 10.100.11.16) or directly to 10.100.11.16 b/c its address overlaps with the other address space.
I know that is a long post, but hopefully I've been clear enough for someone to reply with some helpful advise. Thanks!
