Showing results for 
Search instead for 
Did you mean: 

Another question for duplicate private ranges on site to site ipsec


Ok.  So, here's the setup:

[VPN Applicance1] ------------> IPSEC VPN1 <----------- [ASA 5525 8.6]----------> IPSEC VPN2 <----------- [VPN Applicance2]

VPN Appliance 1 is connecting to ASA 5525 with an internal subnet of

VPN Appliance 2 is also connecting to ASA 5525 with an internal subnet of

ASA 5525 8.6 has an internal IP range of

Because of the conflict, IPSEC VPN1 passes traffic and IPSEC VPN2 does not.

Question 1.  Is there a combination of nat/ACL's that I can employ that would allow both VPN Appliance 1 and 2 to remain unchanged?  Can a person on the private end of VPN Appliance 1 ping from while someone on the private end of VPN Appliance 2 also be pinging from

Question 2.  If we separate the hosts on the ASA 5525 (set the ACL and NAT to to VPN Appliance1's and set the ACL and NAT to to VPN Appliance2's, can we keep both VPN Appliance1 and 2 unchanged and have them able to ping from VPN Appliance1's and ping from VPN Appliance2's 


2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee


You can refer the following document in order to apply the Policy Nat on VPN appliance 1 and 2:

We need to use the policy nat on Appliance 1 and 2 to allow them to communicate with ASA 5525's network. i.e. the IP's on Appliance 1 and 2 won't really be changed  but they would be seen as packet sourced from a diffrent IP's when they reach ASA 5525.

This can be achieved by:-

On Appliance 1 , gets translated to 3.3.3.X if it needs to communicate to

On Appliance 2, gets translated to 4.4.4.X if it needs to communicate to

Similarly, the crypto access-lists will be modified.

Appliance 1 ------------------------------------------- ASA 5525


Appliance 1 ------------------------------------------- ASA 5525


I am assuming both the VPN  tunnels are terminating on a sinlge OUTSIDE interface.

Moving further,for the next query

On 5525,

The crypto access-list would be
ASA 5525-------------------------------------VPN Appliance 1,

ASA 5525-------------------------------------VPN Appliance 2

Since the crypto access-list would be different for the second query , you should be able to ping from Appliance 1 and from Appliance 2.

Hope that helps.


Dinesh Moudgil

Cisco Network Security Channel -

So, it's not possible to do this without modifying the configuration on VPN Appliance1 and VPN Appliance 2?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers