Does anyone know if it's possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel? I have to create 18 ASA5505 tunnels back to one ASA5510. Instead of having 18 subnets out there it sounds more efficient for my application just to have one. Sort of a CLOUD (there's that word) arraignment.
Solved! Go to Solution.
Andrew, I think you may have given me the wrong example. I gave the "correct answer" too quickly, before I really read the example. Are you sure you understood my question? Jim
Yeah, this started out as "Wouldn't it be nice and easy to have the the same subnet at all ends of this hub and sopke arraignment". The reading I've seen so far is leading me to the conclusion that this is type of natting is for that rare instance where two companies merge and they have the same subnets on their internal networks. It doesn't look like it would scale easily beyond that.
I'm always looking for the easy way out! But I see no free lunch here.
I understood your question - and the url I posted has all the information/examples that you need to get this working? if you were hoping for a more specific exact config example that you could copy - I am not sure one exists, as everybody requirements are slightly different. Let me put a sample config together, this will point you in the right direction.
So I would try something like
ip address 18.104.22.168 255.255.255.0
ip address 192.168.1.1 255.255.255.0
crypto map vpntunnel 1 match address vpn-nat
crypto map vpntunnel-outside 1 set peer 22.214.171.124
access-list internet-nat extended deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list internet-nat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vpn-nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list site-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
global (outside) 1 interface - PAT for internet traffic
nat (inside) 0 access-list vpn-nat - do not "double" nat the VPN traffic
nat (inside) 1 access-list internet-nat - Idents the traffic to NAT going to the internet
static (inside,outside) 172.16.1.0 access-list site-nat - NAT the same subnet traffic before it enters the VPN tunnel.
The same subnets are 192.168.1.0/24 and converting them into the 172.16.0.0/15
I suppose so - but as you can see there is ALOT of configuration work to be done at the spokes, also if you have 20 spokes sites, the Hub must be configured with the example 20 times.
it all depends on how much work and how big a head ache you want to give yourself. To be honest, just assign each site with it's own subnet.