07-23-2014 02:19 AM - edited 03-03-2019 07:32 AM
Hi All,
I am looking for some help with the following problem. I have a client that I am trying to set up a S2S VPN with but have run into an issue with over lapping networks
I am setting it up from my DMZ to their local network but the trouble is their local network and my local network overlap.
My ASA Interfaces are
inside 172.30.0.1 255.252.0.0
DMZ 172.19.140.1 255.255.255.0
My Customers Local Lan is 172.30.80.0 255.255.240.0
The VPN goes from my DMZ to customer site. If I did not have over lapping networks the following config would bring up the VPN
name *.*.*.* Customer_VPN
!
object-group network Customer_REMOTE_NETS
network-object 172.30.80.0 255.255.240.0
!
access-list Customer_VPN permit ip object obj-172.19.140.0 object-group Customer_REMOTE_NETS
!
nat (DMZ,OUTSIDE) source static obj-172.19.140.0 obj-172.19.140.0 destination static Customer_REMOTE_NETS Customer_REMOTE_NETS no-proxy-arp route-lookup
!
crypto map S2S 430 match address Customer_VPN
crypto map S2S 430 set peer *.*.*.*
crypto map S2S 430 set ikev1 transform-set ESP-3DES-SHA
crypto map S2S 430 set security-association lifetime seconds 3600
crypto map S2S 430 set security-association lifetime kilobytes 4608000
!
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
pre-shared-key ********
!
Due to the overlapping networks the interesting traffic tries to go into the inside interface rather than bringing up the tunnel
I am not sure how to solve this
I cannot NAT my DMZ traffic as it will make no difference
My customer cannot NAT his traffic.
I think the only option I have is to set up a static route to customers LAN but I am not sure who to tie that into the config?
Is there something else I can do that I am not thinking of?
Any advice or suggestions would be welcome
Thanks
Gary
Solved! Go to Solution.
07-23-2014 10:00 AM
Hi garybrophy
You can do a NAT in order to solve the issue with the overlapping in one ASA:
For example:
nat (inside,outside) 172.30.0.1 translated destination remote-translated 172.30.80.0
You have to use different IPs for the translated ones.
Hope this help
07-23-2014 10:00 AM
Hi garybrophy
You can do a NAT in order to solve the issue with the overlapping in one ASA:
For example:
nat (inside,outside) 172.30.0.1 translated destination remote-translated 172.30.80.0
You have to use different IPs for the translated ones.
Hope this help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide