Thanks, for reply.

For two site with same internal IP schema the configuration  you send it to me will work, i want to know about the 3rd firewall which has different schema than other two.

The configuration on the 3rd firewall would be like below

Site A

192.168.1.0/24

Site B

192.168.1.0/24

Site C

10.10.10.0/24

Site C access-list

access-list VPN permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list VPN permit ip 10.10.10.0 255.255.255.0 2.2.2.0 255.255.255.0

This ACL applied to crypto-map.

Please correct me if i am wrong??

Yes.

There's no extra requirement for the 3rd site since there's no overlapping problem there.

You just configure a regular Site-to-Site configuration on the 3rd site to talk to the NATed IPs of the other two sites.

Hope it's clear.

Federico.

hello,

I have still some problem, my tunnels are not able to up,

when i type show ipsec sa, there nothing

My Config Look like below......

Site A:  Inside IP 192.168.0.0 Outside IP 11.11.11.0

Site B Inside IP 192.168.0.0 Outside IP 12.12.12.12.0

Site C Inside IP 10.4.100.0 Outsdie IP 14.14.14.0

I map site A  Internal IP 192.168.0.0 to 192.168.8.0.

I dont want to create tunnel between Site A and Site B, I need to create Hub and Spoke where Site C is hub and Site A and B are spoke....

I need to know what should i configured on site C.

First Access List to Allow traffice,

policy access list

Static nat

and regular Site to Site Config

am I missing something?????????????

Do you manage the three sites?

Site A:  Inside IP 192.168.0.0 Outside IP 11.11.11.0

Site B Inside IP 192.168.0.0 Outside IP 12.12.12.12.0

Site C Inside IP 10.4.100.0 Outsdie IP 14.14.14.0

If Site C is the hub, then traffic between A and B should pass through C (this should be no problem because there's no overlapping with NAT).

Now... if Site C is the hub (depending if it's an IOS or ASA) you need to configure u-turn for VPN traffic.

Site C should be able to receive traffic from spoke and resend it back to the other spoke.

Could you include the configuration for Site C?

Federico.

Site C Config as below, yes i am managing all 3 sites, I am lost with this overlaping issue......

access-list sitec2sitea permit ip 10.4.100.0 255.255.255.0 192.168.0.0 255.255.255.0----------where 192.168.0.0 should be the IP of the NATed peer..
access-list sitec2siteb permit ip 10.4.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.4.100.0  255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat permit ip 10.4.100.0  255.255.255.0 192.168.9.0 255.255.255.0

!
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
!
!
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
!
crypto ipsec transform-set ghtd_vpn_set_primary esp-3des esp-sha-hmac
crypto map outside_map 1 match address sitec2sitea
crypto map outside_map 1 set peer 11.11.11.0
crypto map outside_map 1 set transform-set ghtd_vpn_set_primary
crypto map outside_map interface outside
!
!
crypto map outside_map 2 match address sitec2siteb
crypto map outside_map 2 set peer 12.12.12.0
crypto map outside_map 2 set transform-set ghtd_vpn_set_primary
crypto map outside_map interface outside
!

tunnel-group 11.11.11.0 type ipsec-l2l
tunnel-group 11.11.11.0 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
tunnel-group 12.12.12.0 type ipsec-l2l
tunnel-group 12.12.12.0 ipsec-attribute
pre-shared-key cisco
isakmp keepalive threshold 20 retry 3
!
!
mtu backup 1500

when i try to ping ping from site c to site a with 192.168.8.1

i can see the SA

but when i try to ping from site c to site a  with 192.168.0.1

n SA nothing ..

it means nat is missing??/

Need to make sure it looks like this:

Site C:

access-list sitec2sitea permit ip 10.4.100.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list sitec2siteb permit ip 10.4.100.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 10.4.100.0  255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat permit ip 10.4.100.0  255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list nonat

Also, the hub should have the command same-security-traffic permit intra-interface

to allow traffic from one

spoke to reach the other spoke.

First make sure that from Site C you can reach both spokes fine.

Federico.

Thnaks,

Finally its working,, The only problem i am facing is my tunnels are up but not able to ping the farside,

for testing i changed only Site A internal Schema from 192.168.0.0 to 192.168.8.0

I can ping from Site A to Site C but not from Site C to Site A.

i did show isakmp sa, and show ipsec sa...

it shows my packets are encrypted and tunnels are active but not allow to ping...

Thnaks, for your help and support...

Hi,

You say that you cannot PING from Site C to Site A.

Try to PING the inside IP of the Site A ASA,

From Site C ASA:

ping inside x.x.x.x    --> inside IP of Site A ASA

For the above to work, the command management-access inside should be configured on both sides.

If it works, then probably there's a route issue on Site A.

If it does not work, then post again with the current situation.

Federico.

Hello,

I still have the problem with the overlap internal IP sechma.

As i type show isakmp sa and show ipsec sa, i can see my tunnel is up.

Site A and Site B get reply from SIte C, But not able to ping from Site C to Site A and Site B

Do i need to configure policy nat on Site C to or not??

Need to solve this issue... I attach a diagram with this....

Please i need your help..........................