Re: Site to Site VPN same network

ancarr · ‎09-16-2009

I have an ASA5520 running 8.0.4. I need to create a tunnel with a vendor using the same internal network as we are. They are unable NAT on their side. I would like both sides to be able to bring up the tunnel. They are using 10.2.x.x/16 as their internal network, as are we. The interesting traffic on my side would come from the nodes 10.0.194.1 and 10.0.194.5. How do I configure my side of the tunnel to get this to work?

Thanks,

Keith

ggilbert · ‎09-17-2009

Hello Keith,

I read through your question and it seems like your side will need to encrypt only 10.0.194.4 and 10.0.194.5 hosts to the remote peer 10.2.x.x/16

So, you should be able to bring up the tunnel and pass traffic without any issues.

If, they have the same network 10.0.194.x on their end as well, then you can do something called as policy NAT.

Please look at the link given below:

http://tinyurl.com/2ej2es

OR

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

In the above example, the 192.168.1.0 network on PIX-A side is getting policy NAT to 172.18.1.0 when the traffic is meant to go for 10.1.0.0/24 network.

**********

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0 access-list policy-nat

********************

Hope this helps.

Thanks

Gilbert

ancarr · ‎09-17-2009

We use the 10.2.x.x network internally already. So I can't route traffic destined for 10.2.x.x to a different location.

Thanks,

Keith

ggilbert · ‎09-21-2009

Keith

In that case, you can convert the remote network 10.2.x.x to something else on the ASA by using the static command.

Please read through the example given below.

http://tinyurl.com/24ak4

OR

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949f1.shtml

Let me know if this helps.

Gilbert