site-site VPN. remote site has same private network id

Unanswered Question
Jun 6th, 2007
User Badges:

We are trying to plan a site-site vpn connecting our corporate network to a vendor's network. Both firewalls are Cisco ASA 5510s. The problem is, their private network ID matches a network ID that exists on our private WAN, which is 192.168.100.0/24. This network id is what actually connects interfaces of our remote site routers via fiber. But, I digress. How is the tunnel going to be established with the remote network given that the destination network matches a network id on our own WAN? Will I have to use NAT?


Thanks for any insight. We have successfully set up site-sites with this firewall, but I have never run into a problem where the destination network happens to match one of our internal ids on the WAN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 06/06/2007 - 08:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you will have to use NAT. If the traffic is intitiated from both ends of the VPN then you will need to NAT both networks and present them internally to each LAN as some other network address range. So at your end you need to present to your internal users the remote 192.168.100.0/24 addresses as a different network range and so will the customer.


HTH


Jon

Both sides could use policy NAT and/or statics (depending on your traffic flow & direction) for the VPN.


Example:


[192.168.100.0/24]-----[ASA]-----[ASA]-----[192.168.100.0/24]


You can NAT your end to 192.168.200.0/24 and the other remote end can NAT their end to 192.168.201.0/24.


[192.168.200.0/24]-----[ASA]-----[ASA]-----[192.168.201.0/24]


Policy NAT Example:


access-list VPN-TO-???-NAT-ACL permit ip 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0

nat (inside) 2 access-list VPN-TO-???-NAT-ACL

access-list VPN-TO-???-ACL permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYPTO-MAP 1 match address VPN-TO-???-ACL

crypto map OUTSIDE-CRYPTO-MAP 1 set peer x.x.x.x

crypto map OUTSIDE-CRYPTO-MAP 1 set transform-set ESP-AES-SHA

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash sha

isakmp policy 1 group 2

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key blablablablablabla

crypto map OUTSIDE-CRYPTO-MAP interface outside


Static NAT Example:


access-list VPN-STATIC-NAT permit ip host 192.168.100.x 255.255.255.255 192.168.201.0

255.255.255.0

static (inside,outside) 192.168.200.x

access-list VPN-STATIC-NAT


HTH


mumairabbasi Wed, 06/06/2007 - 23:39
User Badges:

Hi,


I have a same problem and i have NAT my local IP before sending to one IPSEC tunnel due to customer policy. I am still unable to NAT using Policy Based NAT on PIX 515E 7.0, I feel like there is a global pool is missing in above configuration example.


global (outside) 2 192.168.200.0 255.255.255.0


please confirm or the posted example is workable.


Thanks,


Umair.

Actions

This Discussion