cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
2
Replies

Another question for duplicate private ranges on site to site ipsec

grobinson23
Level 1
Level 1

Ok.  So, here's the setup:

[VPN Applicance1] ------------> IPSEC VPN1 <----------- [ASA 5525 8.6]----------> IPSEC VPN2 <----------- [VPN Applicance2]

VPN Appliance 1 is connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.

VPN Appliance 2 is also connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.

ASA 5525 8.6 has an internal IP range of 10.10.10.0/24

Because of the conflict, IPSEC VPN1 passes traffic and IPSEC VPN2 does not.

Question 1.  Is there a combination of nat/ACL's that I can employ that would allow both VPN Appliance 1 and 2 to remain unchanged?  Can a person on the private end of VPN Appliance 1 ping 10.10.10.10 from 192.168.1.10 while someone on the private end of VPN Appliance 2 also be pinging 10.10.10.10 from 192.168.1.10?

Question 2.  If we separate the hosts on the ASA 5525 (set the ACL and NAT to 10.10.10.10 to VPN Appliance1's 192.168.1.0 and set the ACL and NAT to 10.10.10.11 to VPN Appliance2's 192.168.1.0), can we keep both VPN Appliance1 and 2 unchanged and have them able to ping 10.10.10.10 from VPN Appliance1's 192.168.1.10 and ping 10.10.10.11 from VPN Appliance2's 192.168.1.10? 

Thanks!

2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hello,

You can refer the following document in order to apply the Policy Nat on VPN appliance 1 and 2:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

We need to use the policy nat on Appliance 1 and 2 to allow them to communicate with ASA 5525's 10.10.10.0/24 network. i.e. the IP's on Appliance 1 and 2 won't really be changed  but they would be seen as packet sourced from a diffrent IP's when they reach ASA 5525.

This can be achieved by:-

On Appliance 1 ,

192.168.1.0 gets translated to 3.3.3.X if it needs to communicate to 10.10.10.0/24

On Appliance 2,

192.168.1.0 gets translated to 4.4.4.X if it needs to communicate to 10.10.10.0/24


Similarly, the crypto access-lists will be modified.

Appliance 1 ------------------------------------------- ASA 5525

3.3.3.x----------------------------------------------------10.10.10.0

Appliance 1 ------------------------------------------- ASA 5525

4.4.4.x----------------------------------------------------10.10.10.0

I am assuming both the VPN  tunnels are terminating on a sinlge OUTSIDE interface.

Moving further,for the next query

On 5525,

The crypto access-list would be
ASA 5525-------------------------------------VPN Appliance 1

10.10.10.10------------------------------------------------192.168.1.0,

ASA 5525-------------------------------------VPN Appliance 2

10.10.10.11------------------------------------------------192.168.1.0

Since the crypto access-list would be different for the second query , you should be able to ping 10.10.10.10 from Appliance 1 and 10.10.10.11 from Appliance 2.

Hope that helps.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

So, it's not possible to do this without modifying the configuration on VPN Appliance1 and VPN Appliance 2?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: