Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
5
Replies

RA VPN to Hub and Spoke with Overlapping Spoke Addresses

Cory Anderson
Level 1
Level 1

‎11-01-2018 11:42 AM - edited ‎03-12-2019 05:31 AM

Hi All,

I have a scenario where a customer has security stack in AWS in a centralized VPC.  They're trying to use a single ASA to protect multiple VPCs that have duplicate IP Addresses. They need to use site-to-site VPNs from the perimeter (hub) VPC to the spokes using a CSR to the AWS VPN service.  The spokes never talk to each other, but all VPCs will need to be able to communicate with the internet.  Remote access clients need to be able talk to each VPC, with specific tunnel groups assigned to VPCs.

 

How would you guys recommend accomplishing this?  VRF's with NAT/route leaking on the CSR?  I'd prefer simplicity if at all possible.

 

An example topology is below:

Perimeter Stack.jpg

 

Labels:
0 Helpful
5 Replies 5

a.alekseev
Level 7
Level 7

‎11-01-2018 11:53 AM

Use virtual contexts in ASA
0 Helpful

Cory Anderson
Level 1
Level 1
In response to a.alekseev

‎11-01-2018 06:39 PM

Unfortunately, the ASAv doesn't support multiple contexts.

0 Helpful

David Castro F.
Spotlight
Spotlight

‎11-02-2018 12:47 AM

Hello Cory,

 

Unfortunately you Will require to create VRFs for each spoke and NAT them on the VRF since the ASA wont support this scenerario not even if the ASA you have doesn't support multiple context. Now the ASA can NAT those addresses to a públic address so every VPC spoke can have access to Internet, and also the remote access in the split tunnel acl add the NATed addresses of every VPC spoke and on the VRF a route back to the RA IP pool. Now with the site to site the ASA should NAT the address for the VPN gw for each spoke as well. This way it can work.

 

Let me Know if you have any other doubt,

 

Please rate all of the helpful answers.

 

Regards,

 

David Castro, 

0 Helpful

Cory Anderson
Level 1
Level 1
In response to David Castro F.

‎11-06-2018 07:38 AM

That's for the most part what I ended up doing.  The Remote access VPNs are all in a different VPN pool, based on tunnel group.  I used the CSR router with PBR to put them into the correct VRF.  For outbound traffic, I'm using PAT so the devices can get to the internet.

0 Helpful

David Castro F.
Spotlight
Spotlight
In response to Cory Anderson

‎11-06-2018 08:08 AM

Excelente Cory, I have gone through that and well you have to do what you have to do with the resources you have. 

 

Have a great day man!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents