Overlapping Subnets on IPSec VPN between ASA and IOS Router

jordan.villarreal · ‎02-03-2012

I currently have two networks, the primary site behind an ASA5505 and a new remote site behind an 2911 and I need to establish an IPSec site-to-site VPN from the remote site into my primary behind the ASA. I have several remote sites built in this manner and getting a VPN stood up between the two sites isn't a difficult task for me. This new site, however, is the first time I'm encountering overlapping IP space. For simplification I'll just say that both sides are using 192.168.1.0/24. The way I'd like to handle this is to take a non-conflicting /24 block and nat the remote side behind that range. Initially I'll only need access to 1 server behind that /24 block so I'm also thinking I'd probably just want to set the server on the remote side to a good static local address then just nat a single IP from the non-conflicting /24 block. Then when the 2nd server comes online get it statically set on the remote side and slap a new nat rule in place.

Any suggestions on where to go with this?

Thanks!

Ashley Sahonta · ‎03-01-2012

I haven't configured this yet, however the following link makes sense:

http://roggyblog.blogspot.com/2009/10/pixasa-site-to-site-l2l-vpn-with_27.html

The configuration in that link allows you to configure a site to site VPN with overlapping subnets.

Jason Gervia · ‎03-01-2012

And the official Cisco links (though they don't combine a router and an ASA):

2 ASAs:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

2 Routers:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml