Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
10
Helpful
7
Replies

VPN using public IP

NetworkGuy!
Level 1
Level 1

‎07-16-2019 05:43 AM

Hi

 

I need to form a VPN Tunnel from A side to B side. B Side use 10.50.x.x as internal range which A side uses as well. is there any way we can find a solution?

Labels:
0 Helpful
7 Replies 7

Seb Rupik
VIP Alumni
VIP Alumni

‎07-16-2019 05:47 AM

Hi there,

Surely every device at one site does not require connectivity to every device at the other site?

 

In the likely event that each site offers a small subset of services which need to be accessible, then I suggest you use static NAT to hide the 'real' 10.50.x.x IP addresses and then advertise the NAT pool subnet to the other site.

 

cheers,

Seb.

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Seb Rupik

‎07-16-2019 05:52 AM

To add to what @Seb Rupik mentioned, here is a guide on how to deal with overlapping subnets on the ASA:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

NetworkGuy!
Level 1
Level 1
In response to Rahul Govindan

‎07-16-2019 08:27 AM

Thank you both. The problem over here is Site A is accessing resources from Site B

 

Site A uses 10.50.50.0/24 as an example  and advertised out through out Site A's networks

Site B also uses the same range

 

so what can be done to for site A to access Site B. We used to use Public IP's but Site B does not have public available 

 

 

 

0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to NetworkGuy!

‎07-16-2019 08:56 AM

hello 

 

Form what I understand from the question now is 

 

10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24

earlier you had an available public Ip address on both sites A and B and you were able to NAT 10.50.50.0/24 ( on side A) to X ip address and 10.50.50.0/24 ( on side B) to Y ip address. Now, B doesn't have Y and so you cant use it anymore. Is this is the scenario you are trying to implement?

 

you can use a local IP( y ip address) on side B, NAT all 10.50.50.0/24 behind site B to that and add it to the Crypto ACL .

earlier the Crypto ACL was X to Y and Y to X . now this can be changed to X to y.

of course you would need to allow access for y wherever Y had access earlier.

 

Is this the topology? if not, could you please share  the topology, even a simple example would do to make sure we understand what you are trying to achieve.

 

The 2nd thing which comes to my mind is  Site B is totally routed to site A and doesn't have any Public IP and you want to route all traffic from Site B to Site A and make sure Site A can access all resources behind B.

 

Regards

Shikha Grover

 

 

0 Helpful

NetworkGuy!
Level 1
Level 1
In response to shgrover

‎07-16-2019 09:26 AM

                  

10.50.50.0/24 -----A(1.1.1.1)============B(2.2.2.2)------------10.50.50.0/24

 

Yes the above is correct, however in Site A, they also use 10.50.50.0/24 and company policy is generally to use crypto tunnel to Public IP and not  Private IP to Site B. Site B has a public range (Ex: 7.7.7.0/24) but cant use it for this purpose

So is there any other way? Am I making it clear?

0 Helpful

shgrover
Cisco Employee
Cisco Employee
In response to NetworkGuy!

‎07-16-2019 10:01 AM

Hello

 

I am sorry however you would need to compromise on one of the things:-

 

You either can use a LOCAL IP ( going against your company policy) or make arrangements for a Public IP ( which isn't available for now)

 

Regards

Shikha Grover

 

Please rate the answers that are helpful

0 Helpful

NetworkGuy!
Level 1
Level 1
In response to shgrover

‎07-16-2019 01:46 PM

Clear, thank you for quick reply

0 Helpful
Customers Also Viewed These Support Documents