VPN Appliance 1 is connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.
VPN Appliance 2 is also connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.
ASA 5525 8.6 has an internal IP range of 10.10.10.0/24
Because of the conflict, IPSEC VPN1 passes traffic and IPSEC VPN2 does not.
Question 1. Is there a combination of nat/ACL's that I can employ that would allow both VPN Appliance 1 and 2 to remain unchanged? Can a person on the private end of VPN Appliance 1 ping 10.10.10.10 from 192.168.1.10 while someone on the private end of VPN Appliance 2 also be pinging 10.10.10.10 from 192.168.1.10?
Question 2. If we separate the hosts on the ASA 5525 (set the ACL and NAT to 10.10.10.10 to VPN Appliance1's 192.168.1.0 and set the ACL and NAT to 10.10.10.11 to VPN Appliance2's 192.168.1.0), can we keep both VPN Appliance1 and 2 unchanged and have them able to ping 10.10.10.10 from VPN Appliance1's 192.168.1.10 and ping 10.10.10.11 from VPN Appliance2's 192.168.1.10?
We need to use the policy nat on Appliance 1 and 2 to allow them to communicate with ASA 5525's 10.10.10.0/24 network. i.e. the IP's on Appliance 1 and 2 won't really be changed but they would be seen as packet sourced from a diffrent IP's when they reach ASA 5525.
This can be achieved by:-
On Appliance 1 ,
192.168.1.0 gets translated to 3.3.3.X if it needs to communicate to 10.10.10.0/24
On Appliance 2,
192.168.1.0 gets translated to 4.4.4.X if it needs to communicate to 10.10.10.0/24
Similarly, the crypto access-lists will be modified.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 22.214.171.124Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 126.96.36.199R1(config-ikev2-keyring-pee...