ASA VPN Routing Overlap

anthonykahwati — Wed, 02 Sep 2020 20:16:24 GMT

I am setting up a site to site VPN topology and think I may run into a problem. This will be deployed on up-to-date code on ASAv50's.

A Pair of A/S ASA's will have an IPSec VPN to Vendor Site 1 and another to Vendor Site 2. The issue that I have is that a single VIP will be reachable by both VPN's on the same ASA, so I will essentially have 2 VPN's that will have the same source and same destination traffic by way of the interesting traffic. They will terminate on different end points but the traffic profiles will be the same.

Will the box even let me set this up (I don't have the environment yet otherwise I would test) and if so, how do I choose between the tunnels. Is there such a thing as primary and secondary tunnels for a given set of traffic or am I trying something impossible?

Thanks in advance

Re: ASA VPN Routing Overlap

Marius Gunnerud — Fri, 04 Sep 2020 12:27:46 GMT

in this scenario you would need to NAT the subnet of one of the remote sites to a different IP or subnet. For example. If Site1 and Site 2 only need to connect to the VIP and the VIP does not need to connect to Site 1 or Site 2, then you could NAT the Site 2 subnet to a single IP and only allow that IP over that specific VPN.

Optionally you would need to do a redesign and allocate another subnet to one of the sites.

topic ASA VPN Routing Overlap in Network Security

ASA VPN Routing Overlap

Re: ASA VPN Routing Overlap