cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

351
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA Site to Site VPN with Changing Remote Subnet

Hi guys.

We have an ASA in Central office and is connected using site to site VPNs with the Branch Offices where we have Cisco 800 Series Routers.

 

We have 3 specific branch offices which are connected with each other using Site to Site VPNs and now we want to connect each and every single one of them with the Central Office without destroying the connections between them.

 

So far every Branch office has only one Subnet like 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 and so on.

 

The problem is that the 3 specific Branch Offices have subnets 192.168.100.0/24. 192.168.101.0/24, 192.168.102.0/24 and we need to change the way we see the subnets from Central Offices as if they have Subnets 10.0.100.0/24, 10.0.101.0/24, 10.0.102.0/24

 

Is there a way to do that and instead of doing a ping to a pc that has 192.168.100.100 do a ping to the same PC in 10.0.100.100?

 

Unfortunately we can't change the subnets in the Branch Offices.

 

I believe the solution to my problem is NAT but I'm afraid of destroying the connections between them and no matter how methods I found and tried I did not succeed.

Everyone's tags (1)
3 REPLIES 3
VIP Advisor

Re: ASA Site to Site VPN with Changing Remote Subnet

2 Options,  Branch to use this new IP address 10.X series

or NAT is other option. since you afraid to do this.

 

post the full configuration so suggestion can be made to modify as per your requirements.

 

BB
*** Rate All Helpful Responses ***
Beginner

Re: ASA Site to Site VPN with Changing Remote Subnet

Unfortunately we can't change the subnet from 192.168.X.X/24 to 10.X.X.X/24 at the Branch Offices.

 

I do not have a problem of doing NAT but I don't want to destroy the Site to Site vpns between the Branch Offices.

Bellow are the configs of the 2 Branch Offices.

 

 

Begin Branch Office 1

**************************************************************************************************************************

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnusers
key ΧΧΧΧΧΧΧΧ
pool SDM_POOL_1
acl 121
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpnusers
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
interface Tunnel0
ip address 172.20.20.1 255.255.255.252
tunnel source 29.29.29.29
tunnel destination 164.164.164.164
tunnel key ΧΧΧΧΧΧΧΧ
!
interface Tunnel1
ip address 172.20.20.5 255.255.255.252
tunnel source 29.29.29.29
tunnel destination 250.250.250.250
tunnel key ΧΧΧΧΧΧΧΧ
!
interface Tunnel2
ip address 172.20.20.13 255.255.255.252
tunnel source 29.29.29.29
tunnel destination 231.231.231.231
tunnel key ΧΧΧΧΧΧΧΧ
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 192.168.0.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip access-group 120 in
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXX password XXXXXXXXX
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.5
ip forward-protocol nd
!
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 192.168.0.254 50
ip route 192.168.2.0 255.255.255.0 Tunnel1
ip route 192.168.9.0 255.255.255.0 Tunnel2
ip route 192.168.10.0 255.255.255.0 Tunnel0
!
dialer-list 1 protocol ip permit
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 remark ** Firewall Access List ***
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit gre host 164.164.164.164 host 29.29.29.29
access-list 120 permit gre host 250.250.250.250 host 29.29.29.29
access-list 120 permit gre host 231.231.231.231 host 29.29.29.29
access-list 120 permit esp any host 29.29.29.29
access-list 120 permit udp any host 29.29.29.29 eq isakmp
access-list 120 permit udp any host 29.29.29.29 eq non500-isakmp
access-list 120 permit icmp any any
access-list 121 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

***************************************************************************************************************************

End Branch Office 1

I would like to see this site as 10.0.140.0/24 from the Central Office

 

 

 

 

Begin Branch Office 2

***************************************************************************************************************************

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnusers
key XXXXXXXX
pool SDM_POOL_1
acl 121
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpnusers
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
interface Tunnel0
ip address 172.20.20.6 255.255.255.252
tunnel source 250.250.250.250
tunnel destination 29.29.29.29
tunnel key XXXXXXXXX
!
interface Tunnel1
ip address 172.20.20.10 255.255.255.252
tunnel source 250.250.250.250
tunnel destination 164.164.164.164
tunnel key XXXXXXXXX
!
interface Tunnel2
ip address 172.20.20.21 255.255.255.252
tunnel source 250.250.250.250
tunnel destination 231.231.231.231
tunnel key XXXXXXXXX
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 120 in
ip nat outside
ip inspect cbac out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXX password XXXXXXXX
!
ip local pool SDM_POOL_1 10.2.2.2 10.2.2.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 Tunnel1
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 120 permit gre host 29.29.29.29 host 250.250.250.250
access-list 120 remark ** Firewall Access List ***
access-list 120 permit udp any any eq domain
access-list 120 permit udp any eq domain any
access-list 120 permit gre host 164.164.164.164 host 250.250.250.250
access-list 120 permit gre host 231.231.231.231 host 250.250.250.250
access-list 120 permit esp any host 250.250.250.250
access-list 120 permit udp any host 250.250.250.250 eq isakmp
access-list 120 permit udp any host 250.250.250.250 eq non500-isakmp
access-list 120 permit icmp any any
access-list 120 permit gre host 225.225.225.225 host 250.250.250.250
access-list 121 permit ip 192.168.2.0 0.0.0.255 10.2.2.0 0.0.0.255
dialer-list 1 protocol ip permit

***************************************************************************************************************************

End Branch Office 2

I would like to see this site as 10.0.141.0/24 from the Central Office

Everyone's tags (5)
Beginner

Re: ASA Site to Site VPN with Changing Remote Subnet

Any help please....