Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
2
Replies

VPN with 2 peers with same subnets.

martinmadsen
Level 1
Level 1

‎03-04-2013 03:47 AM

Hi,

I need to know whether the following would be possible to do on both an ASA or Cisco router:

I have 3 sites. A, B and C.

Site A have 10.1.1.0/24

Site B have 192.168.1.0/24

Site C have 192.168.1.0/24

Clients on site A needs to be able to connect to hosts on both site B and C.

Site B and C will never have to connect to A, B or C.

Firewall at site B and C cannot do any sourcenatting. They can only setup one simple IPSEC tunnel.

The Clients at site A would connect to hosts at site B on say 172.16.1.0/24 and hosts on site C on 172.16.2.0/24.

All traffic destined for site B and C need to appear from a single Public IP in our available IP's.

Is it possible to do all the natting required on the ASA or router on site A so that the firewalls at site B and C never has to know about the natting going on?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

jawad-mukhtar
Level 4
Level 4

‎03-04-2013 11:45 AM

Site A have 10.1.1.0/24

VPN Site B ACL 1

permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

VPN Site C ACL 2

permit ip 10.1.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Site B have 192.168.1.0/24

Nat Whole Subnet of 1.x with 2.x

.

NAT Pool

ip nat pool POOLSITEA 192.168.2.1 192.168.2.254 prefix-length 24 type match-host

NAT ACL

permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

ip nat inside source list NAT ACL pool NAT Pool

VPN ACL WILL BE

permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Site C have 192.168.1.0/24

NAT Pool

ip nat pool POOLSITEA 192.168.3.1 192.168.3.254 prefix-length 24 type match-host

NAT ACL

permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255

ip nat inside source list NAT ACL pool NAT Pool

VPN ACL WILL BE

permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255

Hope so u understand....

*** Do Rate Helpful Posts***

Jawad
0 Helpful

martinmadsen
Level 1
Level 1
In response to jawad-mukhtar

‎03-04-2013 01:15 PM

Thanks for your reply.

As far as I can tell in your example you require the firewall or router at site b and c to do soucenatting.

Im looking for a method to avoid that so that site b and c will only require one SA with the a public ip from site a in one end and 192.168.1.0/24 in the other.

So I need the router of firewall at site a to have two identical SA and still by recognizing what virtual natted ip segment the client have sent traffic to, be able to redirect the traffic to the right site.

For Example:

Traffic to 172.16.1.0/24 should be redirected to site b via a SA like 2.2.2.2 <-> 192.168.1.0/24

Traffic to 172.16.2.0/24 should be redirected to site c via a SA like 2.2.2.2 <-> 192.168.1.0/24

Are there any possible way to do this? Maybe via multiple context or the like on a router.

Best Regards

Martin

0 Helpful
Customers Also Viewed These Support Documents