cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
305
Views
0
Helpful
2
Replies

Help with Site to Site VPN Configuration

Oscar Martinez
Level 1
Level 1

Hello all, 

At my work we currently have a single ASA 5512 in our HQ and we are using a pair of antennas as a wireless bridge to our branch site. The problem is the branch site is using the same subnet (192.168.0.0/24) as our HQ as you can see in Figure 1. However, we are getting a 200Mbps fiber link on our branch site along with an ASA 5510 so that it will look like Figure 2. I would like to setup a VPN tunnel between the two offices but I don't know how to go about doing it. Any help would be appreciated.

P.S. If it makes any difference, the entirety of our servers (SQL, Web, NAS, etc) are in the branch site. In our HQ's we have just user pcs and network printers. 

1 Accepted Solution

Accepted Solutions

JP Miranda Z
Cisco Employee
Cisco Employee

Hi Oscar Martinez,

Well seems like you only need to create a S2S tunnel between your 5510 Branch and your 5512 HQ, so in that case you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc8

Now besides understand how to configure the S2S tunnel you also need to configure a NAT for your HQ (considering the Branch is doing some other things), in this case this will be the nat you can use:

On the HQ considering is running a version 8.4 or higher using a twice nat:

Object network inside_real

subnet 192.168.0.0 255.255.255.0

object network inside_nat

subnet 10.10.10.0 255.255.255.0

object networks real_branch

192.168.0.0 255.255.255.0

object network nat_branch

10.198.16.0 255.255.255.0

nat (inside,outside) source static inside_real inside_nat destination static real_branch nat_branch no-proxy-arp

In that case the interesting traffic of the VPN tunnel should be:

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

And when someone on the HQ needs to access something on the branch on the ip range 192.168.0.0 they will have to use the 10.198.16.0 range instead so this is going to make sure the traffic is not overlapping.

Thats kind of my example, in case is not clear enough i found some other people explaining the same on some other ASA versions and instead of doing a twice nat they are doing a nat on both ASAs:

http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/

Hope this info helps!!

Rate if helps you!

-JP-

View solution in original post

2 Replies 2

JP Miranda Z
Cisco Employee
Cisco Employee

Hi Oscar Martinez,

Well seems like you only need to create a S2S tunnel between your 5510 Branch and your 5512 HQ, so in that case you can follow this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc8

Now besides understand how to configure the S2S tunnel you also need to configure a NAT for your HQ (considering the Branch is doing some other things), in this case this will be the nat you can use:

On the HQ considering is running a version 8.4 or higher using a twice nat:

Object network inside_real

subnet 192.168.0.0 255.255.255.0

object network inside_nat

subnet 10.10.10.0 255.255.255.0

object networks real_branch

192.168.0.0 255.255.255.0

object network nat_branch

10.198.16.0 255.255.255.0

nat (inside,outside) source static inside_real inside_nat destination static real_branch nat_branch no-proxy-arp

In that case the interesting traffic of the VPN tunnel should be:

access-list crypto_map_1 extended permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0

And when someone on the HQ needs to access something on the branch on the ip range 192.168.0.0 they will have to use the 10.198.16.0 range instead so this is going to make sure the traffic is not overlapping.

Thats kind of my example, in case is not clear enough i found some other people explaining the same on some other ASA versions and instead of doing a twice nat they are doing a nat on both ASAs:

http://resources.intenseschool.com/l2l-vpn-on-cisco-asa-with-overlapping-addresses-access-to-both-asas/

Hope this info helps!!

Rate if helps you!

-JP-

Hello JP, 

Thank you so much. That is a clear explanation and the link you gave me is concise too! If I have any issues i'll report back. Thanks again!