VPN Appliance 1 is connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.
VPN Appliance 2 is also connecting to ASA 5525 with an internal subnet of 192.168.1.0/24.
ASA 5525 8.6 has an internal IP range of 10.10.10.0/24
Because of the conflict, IPSEC VPN1 passes traffic and IPSEC VPN2 does not.
Question 1. Is there a combination of nat/ACL's that I can employ that would allow both VPN Appliance 1 and 2 to remain unchanged? Can a person on the private end of VPN Appliance 1 ping 10.10.10.10 from 192.168.1.10 while someone on the private end of VPN Appliance 2 also be pinging 10.10.10.10 from 192.168.1.10?
Question 2. If we separate the hosts on the ASA 5525 (set the ACL and NAT to 10.10.10.10 to VPN Appliance1's 192.168.1.0 and set the ACL and NAT to 10.10.10.11 to VPN Appliance2's 192.168.1.0), can we keep both VPN Appliance1 and 2 unchanged and have them able to ping 10.10.10.10 from VPN Appliance1's 192.168.1.10 and ping 10.10.10.11 from VPN Appliance2's 192.168.1.10?
We need to use the policy nat on Appliance 1 and 2 to allow them to communicate with ASA 5525's 10.10.10.0/24 network. i.e. the IP's on Appliance 1 and 2 won't really be changed but they would be seen as packet sourced from a diffrent IP's when they reach ASA 5525.
This can be achieved by:-
On Appliance 1 ,
192.168.1.0 gets translated to 3.3.3.X if it needs to communicate to 10.10.10.0/24
On Appliance 2,
192.168.1.0 gets translated to 4.4.4.X if it needs to communicate to 10.10.10.0/24
Similarly, the crypto access-lists will be modified.