Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6170
Views
10
Helpful
7
Replies

Site-to-Site VPN with Overlapping Subnets

Go to solution
Dean Romanelli
Level 4
Level 4

‎05-02-2018 06:56 AM - edited ‎02-21-2020 07:41 AM

Hi All,

 

I have two sites that need to connect to each other using ASA's and site-to-site VPN.  Problem is both site LAN's have same LAN subnet and neither is in a position to re-IP right now.  I've read that Sonicwalls have an "Apply NAT Policies" feature on them, and I'm wondering if the ASA has anything similar I can do to get around this problem.  Below is the link for reference.

https://www.sonicwall.com/en-us/support/knowledge-base/170515155805172

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Dean Romanelli

‎05-02-2018 12:33 PM

So you would need to select a subnet to use.  Then you will need to identify the servers or services the remote side are going to access on your side and assign a IP from the subnet you chose to those services.  Lets say the remote side needs to access a file server and a web server on your side.  You would configure the following.  For this example I will use 10.10.10.0/24 as your local subnet and the remote subnet (other side of the VPN) and 11.11.11.0/24 as the subnet to be used to NAT the services.

object network FILE_SERVER

  host 10.10.10.100

object network WEB_SERVER

  host 10.10.10.110

object network FILE_SERVER_NAT-IP

  11.11.11.100

object network WEB_SERVER_NAT-IP

  11.11.11.110

object network REMOTE_VPN_SUBNET

nat (inside,outside) source static FILE_SERVER FILE_SERVER_NAT-IP destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

nat (inside,outside) source static WEB_SERVER WEB_SERVER_NAT-IP destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

 

Now once this is configure you will need to add 11.11.11.100 and 11.11.11.110 as the source in your site to site VPN crypto ACL, this will also need to be added to the remote side of the VPN as the remote network (destination in the crypto ACL).  Now the users at the remote side will need to access these services using the NATed IPs of 11.11.11.100 and 11.11.11.110.  If they are using URLs to access these services, then the DNS A records will need to reflect these IPs.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

Go to solution
Marius Gunnerud
VIP
VIP

‎05-02-2018 07:07 AM

What you can do is select an IP subnet that is not in use in either of your networks and then NAT your local LAN to that subnet and use that subnet when communicating to the remote site.

Will you be accessing servers/resources at the remote site or will the remote site access servers / resources on the local site?  Depending on the answer to this question will determine how NAT is configured.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Marius Gunnerud

‎05-02-2018 10:35 AM

Hi Marius,

Thanks for your reply.  The remote side will be accessing servers and services that live on my end.

If you could write up an example config for me that would be great.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Dean Romanelli

‎05-02-2018 12:33 PM

So you would need to select a subnet to use.  Then you will need to identify the servers or services the remote side are going to access on your side and assign a IP from the subnet you chose to those services.  Lets say the remote side needs to access a file server and a web server on your side.  You would configure the following.  For this example I will use 10.10.10.0/24 as your local subnet and the remote subnet (other side of the VPN) and 11.11.11.0/24 as the subnet to be used to NAT the services.

object network FILE_SERVER

  host 10.10.10.100

object network WEB_SERVER

  host 10.10.10.110

object network FILE_SERVER_NAT-IP

  11.11.11.100

object network WEB_SERVER_NAT-IP

  11.11.11.110

object network REMOTE_VPN_SUBNET

nat (inside,outside) source static FILE_SERVER FILE_SERVER_NAT-IP destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

nat (inside,outside) source static WEB_SERVER WEB_SERVER_NAT-IP destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET

 

Now once this is configure you will need to add 11.11.11.100 and 11.11.11.110 as the source in your site to site VPN crypto ACL, this will also need to be added to the remote side of the VPN as the remote network (destination in the crypto ACL).  Now the users at the remote side will need to access these services using the NATed IPs of 11.11.11.100 and 11.11.11.110.  If they are using URLs to access these services, then the DNS A records will need to reflect these IPs.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Marius Gunnerud

‎05-03-2018 07:24 AM

Hi Marius,

 

Doesn't that essentally just make the servers reachable publically outside of the VPN tunnel since 11.11.11.x would be a public subnet?

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Dean Romanelli

‎05-03-2018 07:26 AM

Nevermind my above comment.  I get it now.

 

Let me test this out and I will report back.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Dean Romanelli

‎05-03-2018 07:29 AM

You are forgetting to take into account the destination address.  The 11.11.11.x IP can be whatever you want it to be.  public IP, ASA interface IP (but then you need to use the interface keyword and not an object). Then all traffic going towards the specified destination IP or subnet will be translated to the IP you specify...in this example 11.11.11.x.  Then you need to specify 11.11.11.x in the crypto ACL so that it is encrypted and sent through the VPN.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to Marius Gunnerud

‎04-12-2022 11:54 AM

please correct me if I am wrong. Since that you are not using the interface command, I guess you are missing the NETWORK value for REMOTE_VPN_SUBNET, I just ran the command and got the following error.

 

ASA(config)# nat (inside,outside) source static FILE_SERVER FILE_SERVER_NAT-IP destination static REMOTE_VPN_SUBNET REMOTE_VPN_SUBNET
ERROR: REMOTE_VPN_SUBNET doesn't match an existing object or object-group
ASA(config)#

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card