Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
3
Replies

L2L between 2 ASA's Same subnets unique IP Addresses

itsupport
Level 1
Level 1

‎09-16-2013 12:18 PM

Hello,

We have been seeding a Hyper-V replica on site for a while now using IP addresses on the same subnet and will be moving this equipment to a disaster recovery location and using a L2L VPN between 2 ASAs (a 5555-x at HQ and a 5505 at DR).

Ive configured both firewalls to NAT to different subnets due to overlapping subnets at both ends using this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

however as there are no duplicate IP addresses at either end, is this really needed?

Regards,

Steve

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎09-16-2013 12:26 PM

Hi,

Well if I understood you correctly you would still be having same subnets on both ends of the L2L VPN connection?

If this is the case and if you didnt perform NAT on both ends and even if you didnt have overlapping IP addresses in these identical subnets the traffic would never leave either sites network because without NAT the connection would already fail at the very start when the source host would determine that the destination host is in the same network and instead of sending the traffic gateway (ASA) it would simply try to ARP for the MAC address of the destination IP address and would fail because of that.

- Jouni

0 Helpful

itsupport
Level 1
Level 1
In response to Jouni Forss

‎09-16-2013 12:35 PM

Hi Jouni,

Many thanks for the quick response, most appreciated. You are correct in that the subnets are identical and hence why i went ahead and confiured the NAT according to that document.

Is this the only way to achieve my end result then?Am i right in saying to test connectivity i will have to ping the NAT'd address at the other end?

Regards,

Steve

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to itsupport

‎09-16-2013 01:39 PM

Hi,

Yes, to connect from either site to the other you will have to target the NAT IP address.

I would imagine if you really wanted to implement a network setup between 2 different sites and use the same subnet on each of the sites you could have to configure L2 connectivity between these sites.

This is however something the ASA can not do.

On the other hand, to my understanding the Cisco Routers are able to use the existing L3 connectivity between the sites to actually create a L2 connection between these sites but this is not something I have personally tried even though it would be a pretty interesting thing to test.

Here are some documents I looked up quickly related to the above thing I mentioned

They deal with L2TPv3

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080c14308.shtml

http://www.cisco.com/en/US/products/ps6587/products_white_paper09186a00800a8444.shtml

http://packetpushers.net/extending-layer-2-across-layer-3-with-l2tpv3-pseudo-wires/

Hope this helps

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents