VPN IPSec with ovelapping subnet on ASA and router

Meddane · ‎08-22-2021

Scenario-1 between Cisco routers:

192.168.1.0/24 –R1——R2–192.168.1.0

The NAT configuration on a R1 should be like this:

ip nat inside source static network 192.168.1.0 192.168.100.0 /24

ip nat outside source static network 192.168.1.0 192.168.200.0 /24

only on one router.

Interesting traffic on R1 should be like this:

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

Interesting traffic on R2 should be like this:

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

On ASA; it’s more AMAZING, you can do it using Manual NAT, i like to call it Conditional NAT; as follow:

192.168.1.0/24 –ASA-1——ASA-2–192.168.1.0

On ASA-1:

object network Site-1

subnet 192.168.1.0 255.255.255.0

object network Site-1-VPN

subnet 10.1.1.0 255.255.255.0

object network Site-2-VPN

subnet 10.2.2.0 255.255.255.0

!

nat (inside,outside) source static Site-1 Site-1-VPN destination static Site-2-VPN Site-2-VPN

On ASA-2:

object network Site-2

subnet 192.168.1.0 255.255.255.0

object network Site-2-VPN

subnet 10.2.2.0 255.255.255.0

object network Site-1-VPN

subnet 10.1.1.0 255.255.255.0

!

nat (inside,outside) source static Site-2 Site-2-VPN destination static Site-1-VPN Site-1-VPN

Interesting traffic on ASA-1.

access-list VPN-ACL extended permit ip object Site-1-VPN object Site-2-VPN

Interesting traffic on ASA-2.

access-list VPN-ACL extended permit ip object Site-2-VPN object Site-1-VPN