Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4316
Views
0
Helpful
5
Replies

2 site-to-site VPN's with same IP ranges

Andy White
Level 3
Level 3

‎02-01-2011 06:51 AM

Hello,

I have a site-to-site VPN between our ASA (my office) and a Checkpoint firewall (remote office) and the inside LAN IP range for this remote office is 172.16.x.x./16.  We have another office that needs a site-to-site connection to our ASA and the also use 172.16.x.x/16 and are using a Cisco ASA. 

1.)  Do I need to set up a VPN between this second site using a different IP range and on their ASA NAT 172.16.x.x/16 to this new IP range? 

2.)  If so how do I do this via the ASDM?

Thanks

Labels:
0 Helpful
5 Replies 5

Christopher Fountain
Level 1
Level 1

‎02-01-2011 08:51 AM

On the second ASA you can configure a policy-nat for traffic that should traverse the VPN to avoid the overlap.  Here are a couple examples

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/nat.html#wp1053751

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope this helps

0 Helpful

Andy White
Level 3
Level 3
In response to Christopher Fountain

‎02-01-2011 08:55 AM

Hi,

For some reason my phone won't open those links, but am I right it creating the tunnel using a `fake` IP range, that way phase one and two will work on the tunnel and the policy NAT will take care of the overlap?

Thanks

0 Helpful

Christopher Fountain
Level 1
Level 1
In response to Andy White

‎02-01-2011 09:02 AM

Correct. You will need to create another/fake subnet that the headend

router will see. Otherwise the headend would probably delete the

current tunnel when the other connects.

0 Helpful

Andy White
Level 3
Level 3
In response to Christopher Fountain

‎02-01-2011 09:16 AM

This sounds complicated :s

I guess for my side where both VPN's come into is the easy part and all the work has to be done on the remote ASA for the policy NAT?

Would I have to allow a whole IP range or NAT the remote subnet to one IP as I guess it would PAT to resources my end?

Or have I lost it completely

0 Helpful

Christopher Fountain
Level 1
Level 1
In response to Andy White

‎02-01-2011 12:50 PM

My apologies.  I may have added to the confusion.  So if you are using a L2L from ASA to ASA, then you will need to configure both ASAs with policy nats so that each nats their local source when going to the peer ASA.  So for example, you have something like the following

ORIGINAL
172.16.0.0/16---ASA1=======ASA2-----172.16.0.0/16

NATTED
x.x.x.x/16 ----ASA1=========ASA2----y.y.y.y/16


On your ASA1 network, you want the addresses from ASA2 to be y.y.y.y/16.  So when a user sends a packet, on the wire it will look like source 172.16.x.x and destination y.y.y.y.  When the packet reaches ASA1, the source will be natted prior to encryption to x.x.x.x.  Thus the encryption acl will need to be changed to x.x.x.x > y.y.y.y.

so your nat statement will look like so

access-list policy-nat permit ip 172.16.0.0 255.255.0.0 y.y.y.y/16
static (inside,outside) x.x.x.x access-list policy-nat

and your encryption ACL for the tunnel will be

access-list CRYPTO x.x.x.x/16 y.y.y.y/16


On the ASA2 network, you want the peers behind ASA1 to be seen as x.x.x.x/16.  And you want ASA2 devices to be natted to y.y.y.y.  So you will add nat statements like

access-list policy-nat permit ip 172.16.0.0 255.255.0.0 x.x.x.x/16
static (inside,outside) y.y.y.y access-list policy-nat

and encryption ACL will be

access-list CRYPTO y.y.y.y/16 x.x.x.x/16

I hope this provides some clarity and gives more explanation to the configuration example that I sent.

0 Helpful
Customers Also Viewed These Support Documents