I am trying to set up a site to site tunnel with overlapping networks. The customer has asked if I can use an public ip address (same network as the outside interface of the asa) - I dont want to use a public Ip address for this temporary deployment
I recall setting up a vpn site to site with overlapping networks in past (cant find my documentation)
I think I defined the following:
Natted inside networks to a ip address on the outside interface of the asa using something like 10.30.1.25
Build the tunnel and specify the source address of the tunnel to be 10.30.1.25
access-list L2L-VPN-ENCRYPTION-DOMAIN permit ip 192.168.11.0 255.255.255.0 10.250.11.0 255.255.255.0
To my understanding the above configuration should apply a NAT for every IP address of the /24 network to the NAT network of 192.168.11.0/24 when youre connecting from your local network to the remote network.
Though I'm abit wary of the Policy NAT statement where the actual source and destination network are the same. I did try it on my own ASA (though running newer 8.4 software with new NAT format) and it seemed to work.
What I'm also wondering that is it really possible that both of your networks have 10.250.11.0/24 subnet? Or did you just mean that theyre local network overlaps 10.250.11.0/24?
Would you be actually connecting to a host address of 10.250.11.x through the L2L VPN? I
The NAT doesnt necesarily have to be a Static NAT like I just showed above. But that depends on which party is initiating the connections through the L2L VPN.
If its just you connecting to remote hosts for services then you could simply do a Policy PAT translation towards the L2L VPN tunnel.
Then again if the remote end needs to connect to some services on your end, PAT is out of the question.
Atleast with the static translation you will guarantee connectivity between all the host.
One thing you should also consider is how you control traffic coming from the L2L VPN.
This depends much on the fact how you have set the "sysopt connection permit-vpn" setting. Having it on lets all traffic bypass outside access-list. Disabling it will mean you will have to permit the traffic coming from the L2L VPN tunnel in the outside interface access-list.
If you have the "sysopt connection permit-vpn" setting on. The only way to control traffic is to apply a VPN filter ACL to the L2L VPN connection