Re: Help with NAT and/or Site-to-Site VPN Solution

KTVnetwork · ‎05-05-2023

Hello Everyone. We are an organization that has two sites, one primary data center and one DR site. At the primary site, I am running a virtual ASA 9.12 that is configured with two IPSec Site-to-Site VPN profiles to remote vendor networks. In each profile, the local networks are the same, a 10.x.x.x/27. The remote networks are different in each of the profiles as well as the public peer IPs. We are trying to setup a DR instance of this set up where we are defining the same internal local network. The vendor informed that using the same internal address space will not work on their CSR1000v routers. They go on to say "These are policy-based tunnels so the subnet can only be in one tunnel at a time, having both configured can cause issues with Production". Would you all be able to NAT the subnet on your end to something else?

Can I achieve this with NAT and if so, what kind of NAT would I use. As you can tell I am not a NAT expert.

Thanks for any help you can provide.

georgehewittuk1 · ‎05-05-2023

Feel like it's cleaner to just use VTI & routing

MHM Cisco World · ‎05-05-2023

Asa you can config primary and backup vpn but I prefer using vti instead

KTVnetwork · ‎05-05-2023

I guess I should have stated that the tunnels at the DR site will need to remain connected at all times too.

MHM Cisco World · ‎05-05-2023

Tunnels up did you need load balaance between two tunnels?

KTVnetwork · ‎05-05-2023

Not necessary to load balance.

MHM Cisco World · ‎05-05-2023

Let us summary

1- you use policy based vpn

2- you use same local and remote subnet for policy for both vpn

Asa vpn can only config as primary backup you can not make both tunnels up for above criteria

KTVnetwork · ‎05-05-2023

At one site, we have two tunnels. The local subnet for both tunnels is 10.x.x.x/27. The remote subnets are different 172.x.x.1 and 172.x.x.2 both with different peer IPs. We want to establish two tunnels from our DR site with the local subnets being the same, the remote subnets being the same and peer IPs being the same. The vendor told me this: "These are policy-based tunnels so the subnet can only be in one tunnel at a time, having both configured can cause issues with Production". Would you all be able to NAT the subnet on your end to something else?

I am not really sure what they mean since my local subnet is in each of those tunnels.

MHM Cisco World · ‎05-05-2023

Two remote lan and two peer IP

You can run two tunnels' even if the local lan is same for both tunnels the remote lan is different that make both side use different SPI.

So go ahead there is no problem.

KTVnetwork · ‎05-05-2023

Could it be because the vendor is running CSR1000v routers?

MHM Cisco World · ‎05-05-2023

if what you mention above is your case there is no problem
please share the ASA config I will check if there is make tunnels not work

KTVnetwork · ‎05-05-2023

I pulled the word cryp0 out and modified IPs but everything else is there that should be. Thank you for your help.

MHM Cisco World · ‎05-05-2023

Your config is OK there is no issue'

We go to csr1000v' in the csr1000v we need to config PBR to force the traffic toward right interface.

If csr1000v select one gw for all traffic this always lead that crs1000v use only one vpn.

So run pbr and it will be ok.

Thanks

MHM

KTVnetwork · ‎05-05-2023

Just so you know, this is the config for the one firewall that has the two tunnels set up. At my DR site, I would setup an identical config. Still no issue? So 4 tunnels total. Just want to make sure I am being clear.

MHM Cisco World · ‎05-05-2023

There is no issue at all' as I mention above in DR site just sure the traffic out from correct interface.