cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
0
Helpful
1
Replies

ASA 5515 S2S VPN Issue - Overlapping Networks

garybrophy
Level 1
Level 1

Hi All,

I am looking for some help with the following problem. I have a client that I am trying to set up a S2S VPN with but have run into an issue with over lapping networks

I am setting it up from my DMZ to their local network but the trouble is their local network and my local network overlap.

My ASA Interfaces are

inside                 172.30.0.1      255.252.0.0     

DMZ                    172.19.140.1    255.255.255.0

My Customers Local Lan is 172.30.80.0 255.255.240.0

The VPN goes from my DMZ to customer site. If I did not have over lapping networks the following config would bring up the VPN

name *.*.*.* Customer_VPN
!
object-group network Customer_REMOTE_NETS
  network-object 172.30.80.0 255.255.240.0
  !
access-list Customer_VPN permit ip object obj-172.19.140.0 object-group Customer_REMOTE_NETS
!
nat (DMZ,OUTSIDE) source static obj-172.19.140.0 obj-172.19.140.0 destination static Customer_REMOTE_NETS Customer_REMOTE_NETS no-proxy-arp route-lookup
!
crypto map S2S 430 match address Customer_VPN
crypto map S2S 430 set peer *.*.*.*
crypto map S2S 430 set ikev1 transform-set ESP-3DES-SHA
crypto map S2S 430 set security-association lifetime seconds 3600
crypto map S2S 430 set security-association lifetime kilobytes 4608000
!
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
 pre-shared-key ********
!

Due to the overlapping networks the interesting traffic tries to go into the inside interface rather than bringing up the tunnel

I am not sure how to solve this

I cannot NAT my DMZ traffic as it will make no difference

My customer cannot NAT his traffic.

I think the only option I have is to set up a static route to customers LAN but I am not sure who to tie that into the config?

Is there something else I can do that I am not thinking of?

Any advice or suggestions would be welcome

Thanks

Gary

1 Accepted Solution

Accepted Solutions

rvarelac
Level 7
Level 7

 

Hi garybrophy

 

You can do a NAT in order to solve the issue with the overlapping in one ASA:

 

For example:

 

nat (inside,outside) 172.30.0.1 translated destination  remote-translated 172.30.80.0 

 

You have to use different IPs for the translated ones.

 

Hope this help

 

 

View solution in original post

1 Reply 1

rvarelac
Level 7
Level 7

 

Hi garybrophy

 

You can do a NAT in order to solve the issue with the overlapping in one ASA:

 

For example:

 

nat (inside,outside) 172.30.0.1 translated destination  remote-translated 172.30.80.0 

 

You have to use different IPs for the translated ones.

 

Hope this help

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco