topic Re: Site-Site with same networks in Network Security

Site-Site with same networks

svelasquez — Fri, 21 Feb 2020 11:39:53 GMT

Hi,

I want to know if is possible create a VPN where the remote and local network be the same, and what requirements this has.

Thanks

Re: Site-Site with same networks

JORGE RODRIGUEZ — Tue, 08 Sep 2009 01:33:50 GMT

It is possible, you need to use Policy NAT.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Re: Site-Site with same networks

svelasquez — Tue, 08 Sep 2009 13:28:33 GMT

Ok, but when i make a Policy NAT i translate my LAN network to another ip that by routing can access to the remote network, but in my case i need this

I have an ASA 5505 and a 1700 router, they make the vpn and works fine, my asa has the LAN 192.168.2.0/24 and the 1700 the 192.168.1.0/24, the thing is that i need to change the network in the asa to 192.168.1.0/24 and both branchs must have communication

I hope be clear

Thanks,

Re: Site-Site with same networks

JORGE RODRIGUEZ — Tue, 08 Sep 2009 14:27:52 GMT

Sebastian, I miss understood your initial post..

You are saying that you current have disimilar LANs yours being 192.168.2.0 adn other end is 192.168.1.0 and vpn tunnel is fine.

But your requirements is to have both ends be the same network 192.168.1.0 network? if so you will have overlaping networks, even if you use policy nat to present your 192.168.2.0 from the ASA as 192.168.1.0 network is not going to work.

Is there a reason behind your requirements to have both LANs over the tunnel be the same?

Re: Site-Site with same networks

svelasquez — Tue, 08 Sep 2009 14:39:01 GMT

Jorge, thath's rigth

I have disimilar LANs with 192.168.1.0 and 192.168.2.0 and in that case the tunnel is fine.

The reason what i need to change the lan network in the ASA is because in the remote network there is an ISP that have the routes to access remote networks and no authorized the creation of a static route to know the network of the asa through the tunnel, so i think that if i create a tunnel having the sames networks can work

Regards,

Re: Site-Site with same networks

JORGE RODRIGUEZ — Tue, 08 Sep 2009 15:02:29 GMT

Understood.. but what routes do you required in the far router? are you refering to requiring static routes to get to other networks behind your ASA through that tunnel?

Re: Site-Site with same networks

svelasquez — Tue, 08 Sep 2009 15:23:41 GMT

The far router manage the routes to other cities that i need access, and how they don't create the route to know the network behind the tunnel i can't access to other cities, so if i could have the same network address in the ASA LAN i can routing how i need

Re: Site-Site with same networks

JORGE RODRIGUEZ — Tue, 08 Sep 2009 15:54:50 GMT

I think Im understanding your topology,in your current L2L tunnel you should be able to add those networks the router connects to into your Ipsec policy interesting traffic and be able to access those networks from the ASA side, have you try adding those remote networks in your Ipsec policy?

Re: Site-Site with same networks

svelasquez — Tue, 08 Sep 2009 19:18:59 GMT

Well, but if i add the routes in the tunnel and the far router has not routes to return the information i willn't see the remote networks.

Example: ASA: 192.168.2.1 1700:192.168.1.1 FARouter: 192.168.1.254 Another net:10.10.10.0

If no exist the route add 192.168.2.0 255.255.255.0 192.168.1.1 command in the FARouter i have not chance of access the 10.10.10.0 or i don't see how through the tunnel

Or if you can explane me more i appreciate it

Re: Site-Site with same networks

JORGE RODRIGUEZ — Tue, 08 Sep 2009 21:36:42 GMT

Do you have a simple graph you can post we can see topoloy, Im confused, if at FArouter1700 is routing 10.10.10.0 net that is directly connected to that router say from another interface I still do not believe you have to place a route there for that router to know about ASA 192.168.2.0.

The FarRouter1700 already routes 10.10.10.0 net and I believe by puting 10.10.10.0 network in your tunnel policy access list, ASA_192.168.2.0 should be able to talk to that network.

now if 10.10.10.0 is not a directly connected network to the 1700 but is being routed via another interface from the 1700 router remote network then I could say you will need a route 192.168.2.0/24 on that far end router where 10.10.10.0 actually resides pointing to the 1700 router...

How is 10.10.10.0 network learnd at the 1700 router.. again if you could post a simple diagram that would help.

I think what you are trying to do is to place that static route in the 1700 series so it can propagate to other remote network off the 1700?

Re: Site-Site with same networks

svelasquez — Tue, 08 Sep 2009 22:10:22 GMT

I have the second case

if 10.10.10.0 is not a directly connected network to the 1700 but is being routed via another interface from the 1700 router remote network then I could say you will need a route 192.168.2.0/24 on that far end router where 10.10.10.0 actually resides pointing to the 1700 router...

But the problem is that the routers admins of the other router not authorized the creation of the route to go to my asa network, so i can't access to the 10.10.10.0 network

Re: Site-Site with same networks

JORGE RODRIGUEZ — Wed, 09 Sep 2009 02:09:31 GMT

Sebastian, thanks for the diagram.., that indeed is a big problem not being able to place route pointing to 192.168.1.1 as seen in diagram.. with that static route there in adition to adding 10.10.10.0 in the tunnel policy I could be very sure ASA_192.168.2.0 will talk to that network .. can you present to your management the need to have that done and escalate to the ISP if router is not managed by you?

lest say above static routes cannot be put in place anyhow.

Im thinking that maybe, just maybe.. you could allocate/reserve an IP from the 192.168.1.x net say 192.168.1.100 to not be in any way used in this 192.168.1.0 network and use that IP in ASA to PAT 192.168.2.0 network from the ASA side when going to 10.10.10.0 but to be honest I don't know if it will actually work.. I could be totaly wrong with this scenario, additionally it will change the whole expectrum of your current tunnel config to end up with non-working scenario.. I would have to lab this out but do not have the time at this moment and would not recommend to go any other way to make this simple ... your best bet is placing those routes as you have originally thought.. route 192.168.2.0 via 192.168.1.1 and acl taylor in tunnel policy should do the trick.

Perhaps others netpro may share some other thoughts on this..

Regards