cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2160
Views
0
Helpful
10
Replies

Same subnet on all VPN endpoints?

jgadbois
Level 1
Level 1

Does anyone know if it's possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel?  I have to create 18 ASA5505 tunnels back to one ASA5510.  Instead of having 18 subnets out there it sounds more efficient for my application just to have one.  Sort of a CLOUD (there's that word) arraignment.

Just wondering.

1 Accepted Solution
10 Replies 10

andrew.prince
Level 10
Level 10

Of course, but you would have to use NAT

Sent from Cisco Technical Support iPad App

Andrew, thank you!  Could you provide some details and some examples?

Andrew, I think you may have given me the wrong example.  I gave the "correct answer" too quickly, before I really read the example.  Are you sure you understood my question? Jim

If you NAT each spoke, you will have to make nat translations for any services behind the NAT Address. Sounds like a pain to me!

Yeah, this started out as "Wouldn't it be nice and easy to have the the same subnet at all ends of this hub and sopke arraignment".   The reading I've seen so far is leading me to the conclusion that this is type of natting is for that rare instance where two companies merge and they have the same subnets on their internal networks.  It doesn't look like it would scale easily beyond that.

I'm always looking for the easy way out!  But I see no free lunch here.

I understood your question - and the url I posted has all the information/examples that you need to get this working?  if you were hoping for a more specific exact config example that you could copy - I am not sure one exists, as everybody requirements are slightly different.  Let me put a sample config together, this will point you in the right direction.

So I would try something like

!

interface xxxx

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

!

interface xxxx

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

crypto map vpntunnel 1 match address vpn-nat

crypto map vpntunnel-outside 1 set peer 2.2.2.2

access-list internet-nat extended deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list internet-nat extended permit ip 192.168.1.0 255.255.255.0 any

access-list vpn-nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list site-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

global (outside) 1 interface - PAT for internet traffic

nat (inside) 0 access-list vpn-nat - do not "double" nat the VPN traffic

nat (inside) 1 access-list internet-nat - Idents the traffic to NAT going to the internet

static (inside,outside) 172.16.1.0  access-list site-nat - NAT the same subnet traffic before it enters the VPN tunnel.

The same subnets are 192.168.1.0/24 and converting them into the 172.16.0.0/15

Yes, I see now.  Can this be scaled up to my needs?

I suppose so - but as you can see there is ALOT of configuration work to be done at the spokes, also if you have 20 spokes sites, the Hub must be configured with the example 20 times.

it all depends on how much work and how big a head ache you want to give yourself.  To be honest, just assign each site with it's own subnet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: