Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Example of VFP configuration to handle overlapping IP addresses

In this sample configuration, a client (10.0.2.1) within the Corporation-A private network wants to access a server (10.0.1.0) within the Corporation-B private network. For security, a site-to-site VPN connection is configured from Corporation-A to Corporation-B.

However, it happens that both Corporation-A and Corporation-B are using the same IP range of addresses within their private networks. Thus, Corporation-A's client is assigned to IP address range 10.0.2.1/24, but Corporation-B reserves IP address range 10.0.2.0/24 for its own internal purposes. So if the Corporation-A client sent a packet to the server in Corporation-B, the connection might be misinterpreted as coming from one of Corporation-B's own internal addresses.

To avoid conflicts with Corporation-B's internal-use IP addresses, the Corporation-A Router translates its client's address to a different address (10.0.3.0/1/24) when it sends packets to Corporation-B. Corporate A router uses the virtual feature point (VFP) interface to apply the SNAT policy specifically on its client's traffic heading through the VPN to the server within the Corporation-B network, and it verifies that the responses from the server are translated back to the actual source address of the client. The Corporation-B router uses standard policy-based IPsec; it does not need a VFP interface.

Figure 1. Example of VFP configuration to handle overlapping IP addresses