Several sites with same ip address for local network (ipsec VPN site to site)

%3CLINGO-SUB%20id%3D%22lingo-sub-828738%22%20slang%3D%22en-US%22%3ESeveral%20sites%20with%20same%20ip%20address%20for%20local%20network%20(ipsec%20VPN%20site%20to%20site)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828738%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20stable%20environment%20with%20an%20ipsec%20configuration%20(site%20to%20site).%20The%20problem%20I%20have%20is%20that%20I%20want%20to%20connect%20another%20site%20that%20has%20the%20same%20internal%20address%20as%20the%20first%20site%20I%20configured.%20I%20don't%20see%20how%20to%20create%20a%20NAT%20of%20origin%20for%20example%20or%20by%20routing%2C%20since%20they%20have%20the%20same%20address.%3C%2FP%3E%3CP%3EHow%20can%20I%20configure%20FW%20or%20NSG%20rules%20if%20they%20have%20the%20same%20internal%20addressing%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3Eexample%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esite%201%20-%20local%20network%20192.168.1.0%2F24%3C%2FP%3E%3CP%3Esite%202%20-%20local%20network%20192.168.1.0%2F24%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-----%20ipsec%20VPN%20site%20to%20site%20-------%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-828738%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832425%22%20slang%3D%22en-US%22%3ERe%3A%20Several%20sites%20with%20same%20ip%20address%20for%20local%20network%20(ipsec%20VPN%20site%20to%20site)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832425%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20run%20into%20this%20same%20issue%20when%20connecting%20a%20clients%20network%20to%20vendor%20networks%20that%20had%20overlapping%20scopes.%20As%20of%20today%20outside%20of%20the%20Azure%20firewall%20I%20am%20only%20aware%20of%20the%20Azure%20load%20balancer%20to%20be%20the%20only%20other%20resource%20having%20the%20ability%20to%20NAT.%20The%20way%20I%20accomplished%20this%20for%20the%20client%20was%20to%20provision%20a%20third%20party%20firewall%20to%20handle%20the%20VPN%20connections%20then%20NAT%20them%20to%20the%20correct%20subnet%20in%20Azure.%20Let%20me%20know%20if%20you%20have%20questions%20on%20that%20process%20and%20I%20would%20be%20happy%20to%20help.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400245%22%20target%3D%22_blank%22%3E%40santi10%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836827%22%20slang%3D%22en-US%22%3ERe%3A%20Several%20sites%20with%20same%20ip%20address%20for%20local%20network%20(ipsec%20VPN%20site%20to%20site)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836827%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Bryan!!%20Thank%20you%20for%20you%20response%20me%2C%20thanks%20a%20lot%20of.%20So%20I%20think%20that%2C%20the%20firewall%20of%20azure%20is%20easy%20on%20configuration.%20What%20you%20use%20thrid%20party%20firewall%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-837387%22%20slang%3D%22en-US%22%3ERe%3A%20Several%20sites%20with%20same%20ip%20address%20for%20local%20network%20(ipsec%20VPN%20site%20to%20site)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-837387%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20personally%20used%20the%20Cisco%2C%20Sophos%2C%20and%20Sonicwall%20marketplace%20offers%20to%20configure%20this.%20The%20Azure%20Firewall%20is%20also%20an%20option%20to%20configure%20the%20same%20behavior%20for%20NAT%20and%20SNAT.%20It%20may%20come%20down%20to%20personal%20preference.%20I%20would%20suggest%20running%20a%20trial%20of%20one%20to%20see%20which%20you%20are%20most%20comfortable%20and%20familiar%20with.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400245%22%20target%3D%22_blank%22%3E%40santi10%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have a stable environment with an ipsec configuration (site to site). The problem I have is that I want to connect another site that has the same internal address as the first site I configured. I don't see how to create a NAT of origin for example or by routing, since they have the same address.

How can I configure FW or NSG rules if they have the same internal addressing?


example:

 

site 1 - local network 192.168.1.0/24

site 2 - local network 192.168.1.0/24

 

----- ipsec VPN site to site -------

 

Thanks

 

3 Replies

I have run into this same issue when connecting a clients network to vendor networks that had overlapping scopes. As of today outside of the Azure firewall I am only aware of the Azure load balancer to be the only other resource having the ability to NAT. The way I accomplished this for the client was to provision a third party firewall to handle the VPN connections then NAT them to the correct subnet in Azure. Let me know if you have questions on that process and I would be happy to help.  @santi10 

Hi Bryan!! Thank you for you response me, thanks a lot of. So I think that, the firewall of azure is easy on configuration. What you use thrid party firewall?

 

Regards

I have personally used the Cisco, Sophos, and Sonicwall marketplace offers to configure this. The Azure Firewall is also an option to configure the same behavior for NAT and SNAT. It may come down to personal preference. I would suggest running a trial of one to see which you are most comfortable and familiar with. @santi10