Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
2
Replies

Help with Site to Site VPN Configuration

Go to solution
Oscar Martinez
Level 1
Level 1

‎04-17-2017 11:43 AM

Hello all, 

At my work we currently have a single ASA 5512 in our HQ and we are using a pair of antennas as a wireless bridge to our branch site. The problem is the branch site is using the same subnet (192.168.0.0/24) as our HQ as you can see in Figure 1. However, we are getting a 200Mbps fiber link on our branch site along with an ASA 5510 so that it will look like Figure 2. I would like to setup a VPN tunnel between the two offices but I don't know how to go about doing it. Any help would be appreciated.

P.S. If it makes any difference, the entirety of our servers (SQL, Web, NAS, etc) are in the branch site. In our HQ's we have just user pcs and network printers. 

Labels:
Preview file
204 KB
Preview file
215 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee

‎04-18-2017 05:36 PM

Hi Oscar Martinez,

Well seems like you only need to create a S2S tunnel between your 5510 Branch and your 5512 HQ, so in that case you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc8

Now besides understand how to configure the S2S tunnel you also need to configure a NAT for your HQ (considering the Branch is doing some other things), in this case this will be the nat you can use:

On the HQ considering is running a version 8.4 or higher using a twice nat:

Object network inside_real

subnet 192.168.0.0 255.255.255.0

object network inside_nat

subnet 10.10.10.0 255.255.255.0

object networks real_branch

192.168.0.0 255.255.255.0

object network nat_branch

10.198.16.0 255.255.255.0

nat (inside,outside) source static inside_real inside_nat destination static real_branch nat_branch no-proxy-arp

In that case the interesting traffic of the VPN tunnel should be:

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

And when someone on the HQ needs to access something on the branch on the ip range 192.168.0.0 they will have to use the 10.198.16.0 range instead so this is going to make sure the traffic is not overlapping.

Thats kind of my example, in case is not clear enough i found some other people explaining the same on some other ASA versions and instead of doing a twice nat they are doing a nat on both ASAs:

http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/

Hope this info helps!!

Rate if helps you!

-JP-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
JP Miranda Z
Cisco Employee
Cisco Employee

‎04-18-2017 05:36 PM

Hi Oscar Martinez,

Well seems like you only need to create a S2S tunnel between your 5510 Branch and your 5512 HQ, so in that case you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc8

Now besides understand how to configure the S2S tunnel you also need to configure a NAT for your HQ (considering the Branch is doing some other things), in this case this will be the nat you can use:

On the HQ considering is running a version 8.4 or higher using a twice nat:

Object network inside_real

subnet 192.168.0.0 255.255.255.0

object network inside_nat

subnet 10.10.10.0 255.255.255.0

object networks real_branch

192.168.0.0 255.255.255.0

object network nat_branch

10.198.16.0 255.255.255.0

nat (inside,outside) source static inside_real inside_nat destination static real_branch nat_branch no-proxy-arp

In that case the interesting traffic of the VPN tunnel should be:

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

And when someone on the HQ needs to access something on the branch on the ip range 192.168.0.0 they will have to use the 10.198.16.0 range instead so this is going to make sure the traffic is not overlapping.

Thats kind of my example, in case is not clear enough i found some other people explaining the same on some other ASA versions and instead of doing a twice nat they are doing a nat on both ASAs:

http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/

Hope this info helps!!

Rate if helps you!

-JP-

0 Helpful

Go to solution
Oscar Martinez
Level 1
Level 1
In response to JP Miranda Z

‎04-20-2017 06:22 AM

Hello JP, 

Thank you so much. That is a clear explanation and the link you gave me is concise too! If I have any issues i'll report back. Thanks again!

0 Helpful
Customers Also Viewed These Support Documents