07-16-2019 05:43 AM
Hi
I need to form a VPN Tunnel from A side to B side. B Side use 10.50.x.x as internal range which A side uses as well. is there any way we can find a solution?
07-16-2019 05:47 AM
Hi there,
Surely every device at one site does not require connectivity to every device at the other site?
In the likely event that each site offers a small subset of services which need to be accessible, then I suggest you use static NAT to hide the 'real' 10.50.x.x IP addresses and then advertise the NAT pool subnet to the other site.
cheers,
Seb.
07-16-2019 05:52 AM
To add to what @Seb Rupik mentioned, here is a guide on how to deal with overlapping subnets on the ASA:
07-16-2019 08:27 AM
Thank you both. The problem over here is Site A is accessing resources from Site B
Site A uses 10.50.50.0/24 as an example and advertised out through out Site A's networks
Site B also uses the same range
so what can be done to for site A to access Site B. We used to use Public IP's but Site B does not have public available
07-16-2019 08:56 AM
hello
Form what I understand from the question now is
10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24
earlier you had an available public Ip address on both sites A and B and you were able to NAT 10.50.50.0/24 ( on side A) to X ip address and 10.50.50.0/24 ( on side B) to Y ip address. Now, B doesn't have Y and so you cant use it anymore. Is this is the scenario you are trying to implement?
you can use a local IP( y ip address) on side B, NAT all 10.50.50.0/24 behind site B to that and add it to the Crypto ACL .
earlier the Crypto ACL was X to Y and Y to X . now this can be changed to X to y.
of course you would need to allow access for y wherever Y had access earlier.
Is this the topology? if not, could you please share the topology, even a simple example would do to make sure we understand what you are trying to achieve.
The 2nd thing which comes to my mind is Site B is totally routed to site A and doesn't have any Public IP and you want to route all traffic from Site B to Site A and make sure Site A can access all resources behind B.
Regards
Shikha Grover
07-16-2019 09:26 AM
10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24
Yes the above is correct, however in Site A, they also use 10.50.50.0/24 and company policy is generally to use crypto tunnel to Public IP and not Private IP to Site B. Site B has a public range (Ex: 7.7.7.0/24) but cant use it for this purpose
So is there any other way? Am I making it clear?
07-16-2019 10:01 AM
Hello
I am sorry however you would need to compromise on one of the things:-
You either can use a LOCAL IP ( going against your company policy) or make arrangements for a Public IP ( which isn't available for now)
Regards
Shikha Grover
Please rate the answers that are helpful
07-16-2019 01:46 PM
Clear, thank you for quick reply
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: