cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1125
Views
0
Helpful
4
Replies

[VPN Site to Site] Overlapping Network

Patrick Tran
Level 1
Level 1

Hi,

We have a Cisco ASA 9.1 and lots of VPN clients which work fine on it.

 

Now we have to connect a partner site with Site-to-Site VPN. 

 

We have few problems:

  • IP address overlap (we use 10.0.0.0/8 and partner use 10.145.0.0/16)
  • Partner can't use NAT on their router

 

Which are the best solutions to configure this Site-to-Site VPN? 

Thanks for your help,

Patrick

 

1 Accepted Solution

Accepted Solutions

Hi Patrick,

Best option here is you can specify the required subnets alone in cryptomap /encryption domain...

say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.

If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....

10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16

10.192.0.0/10 to 10.145.0.0/16

but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....


 

Link for having deny crypto ACL';s

https://supportforums.cisco.com/discussion/10909276/crypto-acl-question

Regards

Karthik

 

View solution in original post

4 Replies 4

nkarthikeyan
Level 7
Level 7

Hi Patrick,

In such case of overlapping network you should get that NAT on both the ends. But you can restrict your encryption domain excluding the 10.145.0.0/16 network through VPN.

Say if they are allowed to access certain segment inside your LAN then specify those subnets alone in crypto ACL.

Regards

Karthik.

Hi Karthik,

Thanks for your quick answer :)

How to exclude the 10.145.0.0/16 network in encryption domain?  Do you have CLI or ADSM examples?

Regards

Patrick

Hi Patrick,

Best option here is you can specify the required subnets alone in cryptomap /encryption domain...

say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.

If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....

10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16

10.192.0.0/10 to 10.145.0.0/16

but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....


 

Link for having deny crypto ACL';s

https://supportforums.cisco.com/discussion/10909276/crypto-acl-question

Regards

Karthik

 

Thanks a lot for your help smiley

Best regards,

Patrick