Site-to-Site VPN - Subnet Overlap

adamjohngur · ‎05-02-2013

Hello all,

I have a small query that I hope someone knows the answer to.

We have an ASA 5510 on our side, from which we need to create a tunnel to a new clients ASA 5510.

However, I have multiple (sub) Interfaces configured on our side, one of which is 0/1.2 set as 172.16.0.1 on 255.255.252.0. My clients remote side is 172.16.1.0/24. Twist comes in that the network on my side I need to connect to over the tunnel is set on 0/1.11 and on 192.168.18.0/24.

I've configured the tunnel group on our appliance:

Local - 192.168.18.0/24

Remote - 172.16.1.0/24

I've also set a NAT rule to translate the traffic based on the interface on our side. However, when attempting to ping their side, the tunnel doesn't even look like its being brought up. Quick check on the packet tracer shows it trying to route out of the 0/1.2 interface....

Is the above scenario even possible?

Thanks,

rkumar5 · ‎05-02-2013

Hi Adam,

The above scenario is possible.

we have to do nat on the remote end

lets say we have the following topology

ASA1========ASA2

where ASA1 is the side where we have multiple subinterfaces and the ASA2 is the remote end

we need to apply the policy based nat rule on the remote end which should be as follow

access-list nat_policy permit ip 172.16.1.0 255.255.255.0 192.168.18.0 255.255.255.0

nat nside) 2 access-list nat_policy

global (outside) 2 192.168.19.0 255.255.255.0

now on the ASA1 the

local network should be 192,168.18.0/24

remote network should be 192.168.19.0/24

On the ASA 2

local network should be 192.168.19.0/24

Remote network should be 192.168.18.0/24

Make sure that we dont have a nat exempt on the ASA2 for the traffic fllowing from 172.16.1.0/24 toward destination 192.168.18.0/24

Here is the config example that you can follow

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Hope this helps you

Thanks

Raj