Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1079
Views
0
Helpful
4
Replies

Site-to-ste VPN with overlapped subnet.

rakeshhari
Level 1
Level 1

‎09-24-2012 02:38 AM

Hi Friends

I have to set up site to site VPN with overlapped network ASA 5540 and checkpoint   what is the best parctice to achive tis goal

Thanks in advance

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎09-24-2012 04:03 AM

There are three solutions to your problem:

1) Double-NAT where each site hides their own subnet with an unused network

2) IP-renumbering one of the sites

3) Build an overlay IPv6-Network just for the systems that need the communication.

If you have some time to study for your implementation, then go for 3)

If 3) is not an option and the networks need to comunicate in many ways with each other, then 2) is the best option. Depending on the size of the network you have to renumber, it's typically a short time of work. But 1) is an ongoing pain for you and your users.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

rakeshhari
Level 1
Level 1
In response to Karsten Iwen

‎09-24-2012 10:34 PM

Dear Iwen,

Our inside network are  172.16.1.0/24 to 172.16.9.0/24..... and  ip address of the  server 172.16.1.72/24 and peer side network is overlapped with 172.16.1.0/24,

can i nat my inside server ip address 172.16.1.72/24 to a diffrent ip address tha is not overlapps (192.168.1.72/24)

access-list inside_access_out extended permit ip any host 192.168.1.72

static (inside,inside) 192.168.1.72 172.16.1.72 netmask 255.255.255.255

access-group inside_access_out out interface inside

i have applied the above command but it is not reachable.

Thanks and regards,

0 Helpful

Karsten Iwen
VIP
VIP
In response to rakeshhari

‎09-25-2012 12:23 AM

It has to be configured on both sides.

X and Y are unused networks in this example: Site A has to hide 172.16.1.0/24 behind X when communicating to Y, site B has to hide 172.16.1.0/24 behind Y when communicating to X. The users in site A have to use Y as a destination, users in site B have to use X as destination. To make it usable for the users you should include the destinations in the DNS so that they never need the destination-IP.

On the ASA you describe the communication 172.16.1.0/24 -> Y with an access-list and add that ACL to your static-command. You find an example here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

srikanth ath
Level 4
Level 4
In response to rakeshhari

‎09-25-2012 12:24 AM

Hello Hari,

Yes you can definetly nat it, but make sure that the same natted IP should be in intersting traffic or crypto-ACL of the tunnel at the both the sides.

PF the below link for an example setup from cisco.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

Let us know if you have any queries.

Regards,

sriaknth

0 Helpful
Customers Also Viewed These Support Documents