Site to site ipsec with same subnets at both ends

Malik79 · ‎10-14-2017

Hi Experts,

I am a new member of cisco support forums hence not much aware of posting questions. I hope I am doing right by creating new discussion forum. Now coming to my problem. I have two sites with same subnets at both ends. P2P is up. All I want is to secure traffic over this link. Ipsec is what I want to configure. I have been working since few days to configure ipsec using asa 5510. Now this firewall when operated in routed mode doesn't allow ipsec because of same subnets at both ends. Transparent mode doesn't allow assigning addresses over interfaces. I have searched a lot but couldn't get to any solution as many of them suggest NAT. I also have few vlans to carry over this link. I hope my question is understandable. I would be grateful for any support/solution or any reference to some example.

Thanks

Karsten Iwen · ‎10-14-2017

Basically you have three options (from my most to least preferred):

Renumber one of the sites to have unique subnets.
Implement unique IPv6 subnets for the systems that need to communicate on both sites.
Double-NAT. On both ASAs you "hide" the local network with static NAT so that the other side sees a network not in use.

Malik79 · ‎10-14-2017

Thank you Karsten. Opt.1. Subnetting any of the sites might not be feasible at this point in my network because of random distribution of ip addresses. Opt.2. IPv6 subnets- could be tried. Opt.3- NAT. Which is least preferred option but could be considered in order to create simple ipsec between two.
I have few vlans to carry over this tunnel too. I would require NATing for all of them yea?? I'd try uploading a picture of scenario as well.
Thanks again.

Karsten Iwen · ‎10-15-2017

Have a look at this scenario: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html