Hi Wade,Do you already have

wade · ‎03-12-2015

I have a customer who wants to migrate between offices within the same city slowly across a couple of weeks. They want to have the same subnet in two locations without actually forwarding L2 traffic across the internet. I suggested we setup a bi-directional NAT scenario. I know it will be some effort, but I believe I can set that up.

The scenario is Site A and Site B both are in the same city. Site A will have a VPN tunnel to Site B with ASAs on both sides of the tunnel, and both sites will have a subnet of 10.10.10.0/24. I plan on configuring NAT to trick that into working. Now, we have Site C in another city that needs to talk to 10.10.10.0/24 - and that VPN is currently working from Site C to Site B. They want to have VPN traffic initiated from Site C through Site B to Site A.

I don't believe that can be done without passing L2 info across the internet. I don't think the bi-directional NAT can be processed successfully for the VPN tunnel.

Anyone have any thoughts?

adawa · ‎03-13-2015

Hello, wade.

If you have an 8.3 software version of your ASA, then NAT configuration is possible as per:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html#wp1080960

What is the model and software version of your ASA?

Let me know if you have additional concerns or e-mail (adawa@cisco.com) me directly. Kind regards.

Alyza Marie Reyes · ‎03-16-2015

Hi Wade,

Do you already have VPN devices for this? If so, what devices are you currently using? I suggest using SLL connection to connect your branch office to your main office. You can look at Cisco ASA 5500-X series for this project. This will also provide you next generation firewall services and other security features.

Hope this helps!

Multiple VPN endpoints with bi-directional NAT