07-24-2015 01:22 PM
Hi!
There two offices (as an example, in reality an unlimited number of them). One of them is mine, but the infrastructure of the other one is the property of other company, and accordingly is administrated by the other person.
On both sides there is Cisco ASA. The task is to up VPN connection to enable the access to some services of my network to the other company (for example HTTP on one of my servers) via an encrypted channel.
The task looks simple, but I can face a situation when internal networks have the same network addresses.
I would like to resolve this issue with the help of NAT, but can't find the possibility to do it in Cisco ASA only.
I imagined this as in attached picture.
Solved! Go to Solution.
07-25-2015 06:38 AM
Here is a document that you can follow to configure L2L VPNs for overlapping networks:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-24-2015 02:07 PM
This can be easily done:
On the main ASA, configure static NAT for the internal server to the 172-public IP. The tunnel is then built for the 172-addresses. Of course the other ASA also has to "hide" their own addresses behind unused addresses. If the left server would see the original source-address of the right client, the answer-packet would be routed internally.
07-24-2015 04:08 PM
Thank you, but I have no idea how I can specify 172-address for VPN connections in ASA. I have no Tunnel interfaces, only tunnel-groups. Can you set an config example for two Cisco ASA, VPN and NAT?
07-28-2015 07:14 PM
Hi k.shtrykov,
The traffic that is sent over VPN tunnel is configured in cryypto access-list which is part of crypto map rather than tunnel-group.
Try following the above mentioned document and the given below and it should address your queries:-
http://packetpushers.net/how-to-build-an-ipsec-vpn-with-cisco-asas-overlapping-address-space/
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-25-2015 06:38 AM
Here is a document that you can follow to configure L2L VPNs for overlapping networks:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112049-asa8x-vpn-olap-config-00.html
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-29-2015 11:12 AM
Thank you very-very much :) This solution works greatly, but I have last problem: I can't publish only one service/port, whole host only. In manual that you provided me, author uses old sintax (for versions lower then 8.4). AFAIU, I can publish whole host with
nat (inside,outside) source static obj-host-ip obj-ext-nat-ip destination static obj-nat-ip-of-other-side obj-nat-ip-of-other-side
But I can't understand, how I can publish only one service from host with new syntax.
07-29-2015 11:44 AM
Hi k.shtrykov,
It is recommended that you use IP based access-list in the crypto maps.
You can configure VPN filters to restrict the traffic based on the ports.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide