07-07-2011 12:46 PM
Does anyone know if it's possible to have the same subnet on all of the endpoints of a hub and spoke VPN tunnel? I have to create 18 ASA5505 tunnels back to one ASA5510. Instead of having 18 subnets out there it sounds more efficient for my application just to have one. Sort of a CLOUD (there's that word) arraignment.
Just wondering.
Solved! Go to Solution.
07-08-2011 05:46 AM
07-07-2011 03:40 PM
Of course, but you would have to use NAT
Sent from Cisco Technical Support iPad App
07-08-2011 05:41 AM
Andrew, thank you! Could you provide some details and some examples?
07-08-2011 05:46 AM
07-10-2011 08:28 AM
Andrew, I think you may have given me the wrong example. I gave the "correct answer" too quickly, before I really read the example. Are you sure you understood my question? Jim
07-10-2011 05:12 PM
If you NAT each spoke, you will have to make nat translations for any services behind the NAT Address. Sounds like a pain to me!
07-11-2011 07:50 AM
Yeah, this started out as "Wouldn't it be nice and easy to have the the same subnet at all ends of this hub and sopke arraignment". The reading I've seen so far is leading me to the conclusion that this is type of natting is for that rare instance where two companies merge and they have the same subnets on their internal networks. It doesn't look like it would scale easily beyond that.
I'm always looking for the easy way out! But I see no free lunch here.
07-11-2011 01:33 AM
I understood your question - and the url I posted has all the information/examples that you need to get this working? if you were hoping for a more specific exact config example that you could copy - I am not sure one exists, as everybody requirements are slightly different. Let me put a sample config together, this will point you in the right direction.
07-11-2011 04:57 AM
So I would try something like
!
interface xxxx
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface xxxx
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
crypto map vpntunnel 1 match address vpn-nat
crypto map vpntunnel-outside 1 set peer 2.2.2.2
access-list internet-nat extended deny ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list internet-nat extended permit ip 192.168.1.0 255.255.255.0 any
access-list vpn-nat extended permit ip 172.16.1.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list site-nat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
global (outside) 1 interface - PAT for internet traffic
nat (inside) 0 access-list vpn-nat - do not "double" nat the VPN traffic
nat (inside) 1 access-list internet-nat - Idents the traffic to NAT going to the internet
static (inside,outside) 172.16.1.0 access-list site-nat - NAT the same subnet traffic before it enters the VPN tunnel.
The same subnets are 192.168.1.0/24 and converting them into the 172.16.0.0/15
07-11-2011 07:44 AM
Yes, I see now. Can this be scaled up to my needs?
07-11-2011 08:15 AM
I suppose so - but as you can see there is ALOT of configuration work to be done at the spokes, also if you have 20 spokes sites, the Hub must be configured with the example 20 times.
it all depends on how much work and how big a head ache you want to give yourself. To be honest, just assign each site with it's own subnet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: