Re: IPSEC tunnel with overlapping subnets

jidesai01 · ‎07-06-2010

I am trying to configure an ipsec tunnel with a site that has an overlapping subnet with mine. How can I overcome this? I am using ASA firewalls on both ends.

Thanks for you help

Federico Coto Fajardo · ‎07-06-2010

Hi,

This is no problem.

You just need to use Policy-NAT on both ends (since you're using ASAs this is no problem at all).

Basically you translate the LANs on both ends to a different subnet so that there's no overlapping problem and the interesting traffic is between the NATed subnets.

Federico.

jidesai01 · ‎07-06-2010

Thanks for the reply. Do you know where I can see sample configurations for this?

Federico Coto Fajardo · ‎07-06-2010

Honestly I don't have an example, but let me try to explain here...

Let's assume this example:

Site A:

10.1.1.0/24 --> NAT to 192.168.1.0/24

Site B:

10.1.1.0/24 --> NAT to 192.168.2.0/24

On Site A:

access-lits nat permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (inside,outside) 192.168.1.0 access-list nat

access-list vpn permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

On Site B:

access-lits nat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (inside,outside) 192.168.2.0 access-list nat

access-list vpn permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

So, both networks will see each other as 192.168.x.0/24

Federico.

Diego Armando Cambronero Arias · ‎07-06-2010

Hello,

Yes BUT only the NAted network will be able to initiate the tunnel. For Example If you use policy NAT and your network 10.10.10.0 is translated to 192.168.10.0 then your Network will be able to initiate the VPN tunnel, But the remote site for example 172.16.32.0 will not be able to reach the Network 192.168.10.0 (the 10.10.10.0 NATed).

This kind of translation is NOT bidirectional. Like a static NAT

Here is a scenario

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

In this case only the Network that is being nated can initiate the Tunnel. Once that the SAs are built up. comunication is bidirectional...

I hope it helps.

Diego Armando Cambronero Arias · ‎07-06-2010

You only have to NAT ONE site.. if you nat them both i think that the SAs will never be build, Check out this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

It says.

If you try to initiate the tunnel from the PIX-B, the destination address of the VPN interesting traffic 172.18.1.0 , for example, natted network address of PIX-A, is not reachable. So you must initiate the VPN tunnel only from the PIX-A.

Federico Coto Fajardo · ‎07-06-2010

If you do the static Policy NAT, you have to NAT on both ends and can initiate the tunnel from either side.

Federico.

Diego Armando Cambronero Arias · ‎07-06-2010

Then I do not understand the example provided by cisco.

Federico Coto Fajardo · ‎07-06-2010

Diego,

I agree with you in that the example is not clear.

But I can tell you from experience, that I have done it and it works as I told you.

Federico.