Showing results for 
Search instead for 
Did you mean: 

Same subnet on all VPN endpoints?

Does anyone know if it's possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel?  I have to create 18 ASA5505 tunnels back to one ASA5510.  Instead of having 18 subnets out there it sounds more efficient for my application just to have one.  Sort of a CLOUD (there's that word) arraignment.

Just wondering.


Accepted Solutions

Of course, but you would have to use NAT

Sent from Cisco Technical Support iPad App

Andrew, thank you!  Could you provide some details and some examples?

Andrew, I think you may have given me the wrong example.  I gave the "correct answer" too quickly, before I really read the example.  Are you sure you understood my question? Jim

If you NAT each spoke, you will have to make nat translations for any services behind the NAT Address. Sounds like a pain to me!

Yeah, this started out as "Wouldn't it be nice and easy to have the the same subnet at all ends of this hub and sopke arraignment".   The reading I've seen so far is leading me to the conclusion that this is type of natting is for that rare instance where two companies merge and they have the same subnets on their internal networks.  It doesn't look like it would scale easily beyond that.

I'm always looking for the easy way out!  But I see no free lunch here.

I understood your question - and the url I posted has all the information/examples that you need to get this working?  if you were hoping for a more specific exact config example that you could copy - I am not sure one exists, as everybody requirements are slightly different.  Let me put a sample config together, this will point you in the right direction.

So I would try something like


interface xxxx

nameif outside

security-level 0

ip address


interface xxxx

nameif Inside

security-level 100

ip address


crypto map vpntunnel 1 match address vpn-nat

crypto map vpntunnel-outside 1 set peer

access-list internet-nat extended deny ip

access-list internet-nat extended permit ip any

access-list vpn-nat extended permit ip

access-list site-nat extended permit ip

global (outside) 1 interface - PAT for internet traffic

nat (inside) 0 access-list vpn-nat - do not "double" nat the VPN traffic

nat (inside) 1 access-list internet-nat - Idents the traffic to NAT going to the internet

static (inside,outside)  access-list site-nat - NAT the same subnet traffic before it enters the VPN tunnel.

The same subnets are and converting them into the

Yes, I see now.  Can this be scaled up to my needs?

I suppose so - but as you can see there is ALOT of configuration work to be done at the spokes, also if you have 20 spokes sites, the Hub must be configured with the example 20 times.

it all depends on how much work and how big a head ache you want to give yourself.  To be honest, just assign each site with it's own subnet.

Content for Community-Ad