04-05-2012 04:54 AM - edited 02-21-2020 05:59 PM
Hi
I am trying to make the site to site VPN b/w two sites but both sites are having 192.168.10.x/24 on both sites.
I want Site A to access the Site B network (192.168.10.x) on 192.168.73.x
Site B access the Site A network on on real IP addess as actual LAN 192.168.80.0, 192.168.200,0 and 192.168.10.0
Site B will use 192.168.73.x when they want to access Site A subnets
Configuration for Site A is mention below
access-list acl-htts extended permit ip 192.168.80.64 255.255.255.255 192.168.73.0 255.255.255.0
access-list acl-httsa extended permit ip 192.168.80.89 255.255.255.255 192.168.73.0 255.255.255.0
access-list acl-httsa extended permit ip 192.168.80.62 255.255.255.255 192.168.73.0 255.255.255.0
access-list acl-httsa extended permit ip 192.168.210.125 255.255.255.255 192.168.73.0 255.255.255.0
access-list acl-httsa extended permit ip 192.168.200.86 255.255.255.255 192.168.73.0 255.255.255.0
static (inside,outside) 192.168.73.0 access-list acl-99
access-list acl-99 extended permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list acl-99 extended permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list acl-99 extended permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
static (outside,inside) 192.168.73.0 192.168.10.0
Please let me know if the above configuration will work for me. I am confuse about the static configuration. Please assist
04-05-2012 05:56 AM
Hi,
The above configurations don't really match what you are describing before them. Also I think you need to NAT both sites source network since even though Site A might be connecting to another network (192.168.73.0/24) the Site B would still be seeing connections coming from network 192.168.10.0/24 on its outside interface while it has the same network on its inside.
I might have totally missunderstood the original post though
Lets look through all the information needed for the L2L VPN
Site A network(s):
Site B network(s):
The L2L VPN encryption domain / interesting ACL and NAT configuraitons would be looking something like this
SiteA
access-list SITE-A-L2L-VPN-ACL permit ip 192.168.20.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list SITE-A-L2L-VPN-ACL permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list SITE-A-L2L-VPN-ACL permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list SITE-A-VPN-NONAT remark NO NAT for the below networks
access-list SITE-A-VPN-NONAT permit ip 192.168.80.0 255.255.255.0 192.168.73.0 255.255.255.0
access-list SITE-A-VPN-NONAT permit ip 192.168.200.0 255.255.255.0 192.168.73.0 255.255.255.0
nat (inside) 0 access-list SITE-A-VPN-NONAT
access-list SITE-A-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.73.0 255.255.255.0
static (inside,outside) 192.168.20.0 access-list SITE-A-VPN-POLICYNAT
The above configuration should do the following for SITE A
SiteB
access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list SITE-B-L2L-VPN-ACL permit ip 192.168.73.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list SITE-B-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
static (inside,outside) 192.168.73.0 access-list SITE-B-VPN-POLICYNAT
The above configuration should do the following for SITE B
Hope I didnt mess up any configurations
Please rate if it was of any help
Ask more if something need clarification
- Jouni
04-05-2012 08:51 AM
Hi,
Thanks for the detail reply but I dont have any administrative control for the Site B network. I am only managing Site A network which has the LAN IP address
192.168.80.0
192.168.200.0
192.168.10.0
I want to give my all users 192.168.73.0 network as remote Site B network (which is 192.168.10.x).
All the traffic from my LAN should appear at the Site B network as coming from 192.168.73.x source.
All configuration I need only my firewall. When traffic from Site B comes to my firewall it should translate 192.168.10.0 network of Site B into 192.168.73.x.
How i can achieve this without doing NAT on the Site B network.
04-05-2012 09:10 AM
Hmm,
So you want to NAT overlapping networks and in the process overlap them again?
04-05-2012 10:48 AM
Yes, because I dont want to do the extra configuration on the Site B network because I dont have any control over their.
I want to do all the configuration for the overlapping network etc on my side and let the site B configure the standardard VPN configuration.
04-05-2012 11:53 AM
Hi,
To be honest I cant see how this would work when you consider that you would tell the VPN device that the source and destination network are both the same for both sites.
Or I just have missunderstood this thing completely.
Though I've got to say that all these NAT and VPN configurations are the easiest when both endpoints handle their NAT configurations seperately. So if its in any way possible I suggest you get someone to handle the configurations on the other end so that you dont have to deal with the situation alone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide