Site to Site VPN same LAN subnets

JensWilladsen · ‎01-22-2013

Hi

I am setting up a VPN between my client and their owner, in order for the owner to access ressources at my clients site.

Unfortunatly their owner already has an VPN connection to another site with the same subnet as the one on my clients site.

I have setup a policy NAT to translate my clients internal LAN to a "NAT" LAN, and i can ping from my clients LAN to their owners LAN, but their owner can not reach any ressources at my clients LAN.

My client has a ASA5510 with a base license, but their owner has their firewall and routing "leased" or something like that, it actually was their ISP who configured the VPN settings. That means of course that i have very limited (no) access to the other site's firewall and I actually even dont know make and model of it.

And last but not least, the subnet the Owner needs to access is on my clients Core Switch and the ASA has an internal route to it.

I have pasted in a interresting parts of the ASA config here below, the displayed subnets are not the real ones .

*****************************************************************************************************************************

ASA-01# more system:running-config

!

ASA Version 8.4(3)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address X.X.X.138 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.29.1.1 255.255.255.0

object network Owner-Remote

subnet 172.16.0.0 255.255.0.0

object network NAT-Local-Subnet

subnet 172.25.251.0 255.255.255.0

object network Local-Subnet

subnet 192.168.20.0 255.255.255.0

object-group network NAT_VPN

description Subnet in VPN

network-object object NAT-Local-Subnet

access-list Outside-In extended permit ip object Owner-Remote any

access-list outside_cryptomap extended permit ip object-group NAT_VPN object Owner-Remote

nat (inside,outside) source static Local-Subnet NAT-Local-Subnet destination static Owner-Remote Owner-Remote

nat (outside,inside) source static Owner-Remote Owner-Remote destination static NAT-Local-Subnet Local-Subnet

!

object network obj_any

nat (inside,outside) dynamic interface

access-group Outside-In in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.137 1

route inside 192.168.0.0 255.255.0.0 172.29.1.2 1

****************************************************************************************************************************

I hope some of you out there can help me a litle bit, cause i am lost right now

Best Regards Jens W

Jennifer Halim · ‎01-22-2013

Both end needs to configure NAT to a unique subnet, otherwise, it won't work because the side that does the NATing will try to ARP for the same subnet and the traffic won't go anywhere.

Here is a sample configuration using the older version of ASA (but the concept is the same):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

In the example: both sides have 192.168.1.0/24 network, and one side has to NAT to 192.168.2.0/24 and the other side has to NAT to 192.168.3.0/24.

Hope that helps.

JensWilladsen · ‎01-23-2013

My problem is not that we have the same subnet on both sides of the VPN. But rather that one of the VPN sides already has another VPN with the same remote subnet as they would need for this vpn.

In short my customer and their owner does not have the same subnets, but their owner has a branch office with the same subnet as my customer.

Therefore i can't se the need for the owner to NAT their subnet, as an ARP will send the packet to the outside interface.

Or am i completely wrong