cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

184
Views
10
Helpful
7
Replies
Highlighted
Beginner

VPN using public IP

Hi

 

I need to form a VPN Tunnel from A side to B side. B Side use 10.50.x.x as internal range which A side uses as well. is there any way we can find a solution?

7 REPLIES 7
VIP Advisor

Re: VPN using public IP

Hi there,

Surely every device at one site does not require connectivity to every device at the other site?

 

In the likely event that each site offers a small subset of services which need to be accessible, then I suggest you use static NAT to hide the 'real' 10.50.x.x IP addresses and then advertise the NAT pool subnet to the other site.

 

cheers,

Seb.

VIP Advocate

Re: VPN using public IP

To add to what @Seb Rupik mentioned, here is a guide on how to deal with overlapping subnets on the ASA:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

Beginner

Re: VPN using public IP

Thank you both. The problem over here is Site A is accessing resources from Site B

 

Site A uses 10.50.50.0/24 as an example  and advertised out through out Site A's networks

Site B also uses the same range

 

so what can be done to for site A to access Site B. We used to use Public IP's but Site B does not have public available 

 

 

 

Cisco Employee

Re: VPN using public IP

hello 

 

Form what I understand from the question now is 

 

10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24

earlier you had an available public Ip address on both sites A and B and you were able to NAT 10.50.50.0/24 ( on side A) to X ip address and 10.50.50.0/24 ( on side B) to Y ip address. Now, B doesn't have Y and so you cant use it anymore. Is this is the scenario you are trying to implement?

 

you can use a local IP( y ip address) on side B, NAT all 10.50.50.0/24 behind site B to that and add it to the Crypto ACL .

earlier the Crypto ACL was X to Y and Y to X . now this can be changed to X to y.

of course you would need to allow access for y wherever Y had access earlier.

 

Is this the topology? if not, could you please share  the topology, even a simple example would do to make sure we understand what you are trying to achieve.

 

The 2nd thing which comes to my mind is  Site B is totally routed to site A and doesn't have any Public IP and you want to route all traffic from Site B to Site A and make sure Site A can access all resources behind B.

 

Regards

Shikha Grover

 

 

Beginner

Re: VPN using public IP

                  

10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24

 

Yes the above is correct, however in Site A, they also use 10.50.50.0/24 and company policy is generally to use crypto tunnel to Public IP and not  Private IP to Site B. Site B has a public range (Ex: 7.7.7.0/24) but cant use it for this purpose

So is there any other way? Am I making it clear?

Cisco Employee

Re: VPN using public IP

Hello

 

I am sorry however you would need to compromise on one of the things:-

 

You either can use a LOCAL IP ( going against your company policy) or make arrangements for a Public IP ( which isn't available for now)

 

Regards

Shikha Grover

 

Please rate the answers that are helpful

Beginner

Re: VPN using public IP

Clear, thank you for quick reply