Solved: Hi Patrick,Best option here

Patrick Tran · ‎07-02-2014

Hi,

We have a Cisco ASA 9.1 and lots of VPN clients which work fine on it.

Now we have to connect a partner site with Site-to-Site VPN.

We have few problems:

IP address overlap (we use 10.0.0.0/8 and partner use 10.145.0.0/16)
Partner can't use NAT on their router

Which are the best solutions to configure this Site-to-Site VPN?

Thanks for your help,

Patrick

nkarthikeyan · ‎07-02-2014

Hi Patrick,

Best option here is you can specify the required subnets alone in cryptomap /encryption domain...

say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.

If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....

10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16

10.192.0.0/10 to 10.145.0.0/16

but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....

Link for having deny crypto ACL';s

https://supportforums.cisco.com/discussion/10909276/crypto-acl-question

Regards

Karthik

View solution in original post

nkarthikeyan · ‎07-02-2014

Hi Patrick,

In such case of overlapping network you should get that NAT on both the ends. But you can restrict your encryption domain excluding the 10.145.0.0/16 network through VPN.

Say if they are allowed to access certain segment inside your LAN then specify those subnets alone in crypto ACL.

Regards

Karthik.

Patrick Tran · ‎07-02-2014

Hi Karthik,

Thanks for your quick answer :)

How to exclude the 10.145.0.0/16 network in encryption domain? Do you have CLI or ADSM examples?

Regards

Patrick

nkarthikeyan · ‎07-02-2014

Hi Patrick,

Best option here is you can specify the required subnets alone in cryptomap /encryption domain...

say in 10.0.0.0/8 the other end need to access only few subnets 10.1.0.0/24, 10.10.20.0/24..... you can specify that alone in your crypto acl.... else you can use deny statement for the specific 10.145.0.0/16 in crypto map but am not sure if that gives you the better result.

If you have the access required which is mixed up with multiple 10.x.x.x/8 statements..... then you can have the crypto ACL like the below encryption domains... Here you are skipping 10.145.0.0/16 alone from the subnet range.....

10.0.0.0/9 to 10.145.0.0/16
10.128.0.0/12 to 10.145.0.0/16
10.146.0.0/15 to 10.145.0.0/16
10.148.0.0/14 to 10.145.0.0/16
10.152.0.0/13 to 10.145.0.0/16
10.160.0.0/11 to 10.145.0.0/16

10.192.0.0/10 to 10.145.0.0/16

but make sure that you dont have any servers in 10.145.0.0/16 in your lan that client requires access.....

Link for having deny crypto ACL';s

https://supportforums.cisco.com/discussion/10909276/crypto-acl-question

Regards

Karthik

Patrick Tran · ‎07-02-2014

Thanks a lot for your help

Best regards,

Patrick

[VPN Site to Site] Overlapping Network