Site to Site VPN using NAT to mask the source range

NetworkAdminLearning · ‎01-04-2018

Hi All

We are currently running an ASA 5515 X and a query has come up about S2S VPN and the possibilities of it. I understand the standard S2S VPN, one LAN range to another, no NAT required. However, what happens if we would like to have multiple S2S VPN with the remote sites having the same subnet? I bit of background. We provide a centralised service for clients to connect to using RDS. There are some resources however on the client site that would benefit from having a VPN as they cannot use RDS, scanners for example, to provide normal SMB scanning as the FTP support is pretty rubbish. I know this can be achieved using a normal S2S, but a lot of clients will have the same subnets (192.168.0.0/24, 172.16.0.0/16 etc.), which will obviously be a major stumbling block in a standard deployment. We are not able to readdress clients networks. I have come across one example of NAT being used, where the network containing the resources assigned us an IP in their range, so all traffic appeared to come from that IP address. We will not need to establish a link from the resource network (Us) to the remote network (Client), just the client to us. I imagine PAT will be coming into play, but having never set this type of connection up, I do have some questions. First and most important, is this actually possible? Second, how can we do it on our device? Third, will the client require any special kit on their end to connect in?

Thank you all in advance, and if I have not been clear on some of the points just shout and I will clarify.

Many Thanks

James

Karsten Iwen · ‎01-04-2018

It is possible and quite common in these scenarios. But it has to be done on the client-side and not on your end. When your VPN-gateway sees the same IP from different customers it's already to late to distinguish them.

NetworkAdminLearning · ‎01-04-2018

Hi Karsten

Thank you for your swift reply. Yes, I figured the routing table on our side would be rather interesting should we attempt it normally. So the client side has to put in place some form of NAT to change their internal range to the Internal IP that we assign from our internal range? Say, for example, they have IP range 192.168.0.0/24, and we have IP range 192.168.100.0/24. We assign them the IP of 192.168.100.10 as their IP on our network. They would need to put a setting in their VPN policy to translate all their internal network traffic to 192.168.100.10, for anything destined for our network? Would we need to do anything our side for this to work?

Many Thanks

James

Karsten Iwen · ‎01-04-2018

First, you should put your systems on public IP addresses. If a customer has the same addresses as you, you'll get additional trouble.

Then, assign one private address-range per customer which that customer can use. Directly start in the 10/8 range as there you are not restricted to the limited space of 192.168.0.0.

NetworkAdminLearning · ‎01-04-2018

So I would need to readdress the segment of my network I would like to share? And then the purpose of the selection of various range per client is the Overlapping networks I have been reading about? This is presume is a straight one-to-one translation with the IP ranges. So if the client had 192.168.0.0/24, and I selected 10.0.0.0/24 for them, a device of IP 192.168.0.10 would have IP 10.0.0.10 as far as my network could tell?

I did some work with a company a few months back who had their VPN set up where we as the client in this case had to put an IP that was from their range internally onto the settings on our side. They received hundreds of connections from client networks, and the ranges were generally the same. I guess this was their way of masking this from the routing table and getting around that restriction. I was hoping I could do the same sort of setup on the Cisco, but if I cannot I will see about doing the range translation instead.

Thank you very much for your replies.

James

NetworkAdminLearning · ‎01-10-2018

Hi Everyone

Thank you for your contributions so far. I just wanted to expand out a little on the requirements and just confirm the NAT of remote IP ranges is still suitable. We will be getting at least 50 client networks connecting to our 5515 via VPN. The vast majority will be basic Class C or B ranges, and right at the start would be my bet. Readdressing them will be impossible, as they do run their own services on site and this could cause issues. Lets go worst case scenario, and say all 50 have chosen 192.168.0.0/2 as their IP range. We are using lets say 172.16.0.0/16 as our range. The clients will not need to communicate with each other, just our network. The initial thought I had was to put something in place to translate each clients connection to an IP address in our range. Lets say we used IPs from 172.16.100.0 going up. First clients traffic from their entire network would appear to come from 172.16.100.1. The second clients traffic would be from .2 and so on. This is all despite them having 100 clients on the network. I don't know if this is achievable, and how it would be achieved, but I have come across something similar with one of our suppliers, who asked us to create a S2S VPN and present as an IP address they supplied us with, as they are a big company, and it allowed them to have S2S from the same subnet hundreds of times. Now it may be this is hard to achieve, or requires a lot of additional hardware on both sides. If the solution above is the right one, then we will set up a subnet translation. Can this be done on our side only, invisible to the client?

Thank you all

James