Example of VFP configuration to handle overlapping IP addresses
In this sample configuration, a client (
10.0.2.1) within the Corporation-A private network wants to access a server (
10.0.1.0) within the Corporation-B private network. For security, a site-to-site VPN connection is configured from Corporation-A to Corporation-B.
However, it happens that both Corporation-A and Corporation-B are using the same IP range of addresses within their private networks. Thus, Corporation-A's client is assigned to IP address range
10.0.2.1/24, but Corporation-B reserves IP address range
10.0.2.0/24 for its own internal purposes. So if the Corporation-A client sent a packet to the server in Corporation-B, the connection might be misinterpreted as coming from one of Corporation-B's own internal addresses.
To avoid conflicts with Corporation-B's internal-use IP addresses, the Corporation-A Router translates its client's address to a different address (
10.0.3.0/1/24) when it sends packets to Corporation-B. Corporate A router uses the virtual feature point (VFP) interface to apply the SNAT policy specifically on its client's traffic heading through the VPN to the server within the Corporation-B network, and it verifies that the responses from the server are translated back to the actual source address of the client. The Corporation-B router uses standard policy-based IPsec; it does not need a VFP interface.