one of the local interface has same IP subnet as of remote network for a site to site Tunnel

zeeshan iqbal · ‎02-18-2013

2 ASAs have a site to site tunnel

ASA1 local network: 172.23.10.x

ASA2 local network: 192.168.60.x

ASA-1 has also another interface with 192.168.60.x subnet and the remote network for one of its site-to-site tunnels has the same subnet as well. NOW ASA1 tunnel is up but no traffic as it forwards all tunnel traffic to the local interface as it shows directly connected in its routing table. if i disable the local interface 192.168.60.x then i could see the tunnel traffic and tunnel starts working fine.

How can I send tunnel traffic based on the source interface 172.23.10.x while having the local interface Up?

1. i dont need communication between 172.23.10.x interface and local interface 192.168.60.x

2. local subnet 172.23.10.x needs to talk to remote network 192.168.60.x over the tunnel

3. remote VPN users to this ASA need to access local network 192.168.60.x but not 172.23.10.x

Thank you and waiting for suggestions

malshbou · ‎02-18-2013

you need to perform outside NAT, so that the remote subnet 192.168.60.X appear to ASA1 as another network (e.g 192.168.80.X) . ASA2 doesn't need change, but ASA1 needs some changes.

can you share your current config and ASA version ?

Mashal

------------------ Mashal Shboul

zeeshan iqbal · ‎02-18-2013

Hi Mashal,

Thank you for your reply.

You mean to NAT Tunnel traffic? but on what interfacei need to configure NAT; I have outside public interface, local int1 havig 172.23.10.x and another local int2 having 192.168.60.x ?

and afterwards will the remote network for site-to-site tunnel be the NAtted address: 192.168.80.x ?

how can I NAT the whole subnet; from 192.168.60.x TO 192.168.80.x by a single command ?

thank you again and regards.

zeeeshan