06-06-2007 08:24 AM - edited 03-11-2019 03:25 AM
We are trying to plan a site-site vpn connecting our corporate network to a vendor's network. Both firewalls are Cisco ASA 5510s. The problem is, their private network ID matches a network ID that exists on our private WAN, which is 192.168.100.0/24. This network id is what actually connects interfaces of our remote site routers via fiber. But, I digress. How is the tunnel going to be established with the remote network given that the destination network matches a network id on our own WAN? Will I have to use NAT?
Thanks for any insight. We have successfully set up site-sites with this firewall, but I have never run into a problem where the destination network happens to match one of our internal ids on the WAN.
06-06-2007 08:41 AM
Hi
Yes you will have to use NAT. If the traffic is intitiated from both ends of the VPN then you will need to NAT both networks and present them internally to each LAN as some other network address range. So at your end you need to present to your internal users the remote 192.168.100.0/24 addresses as a different network range and so will the customer.
HTH
Jon
06-06-2007 09:23 AM
Both sides could use policy NAT and/or statics (depending on your traffic flow & direction) for the VPN.
Example:
[192.168.100.0/24]-----[ASA]-----[ASA]-----[192.168.100.0/24]
You can NAT your end to 192.168.200.0/24 and the other remote end can NAT their end to 192.168.201.0/24.
[192.168.200.0/24]-----[ASA]-----[ASA]-----[192.168.201.0/24]
Policy NAT Example:
access-list VPN-TO-???-NAT-ACL permit ip 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0
nat (inside) 2 access-list VPN-TO-???-NAT-ACL
access-list VPN-TO-???-ACL permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE-CRYPTO-MAP 1 match address VPN-TO-???-ACL
crypto map OUTSIDE-CRYPTO-MAP 1 set peer x.x.x.x
crypto map OUTSIDE-CRYPTO-MAP 1 set transform-set ESP-AES-SHA
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash sha
isakmp policy 1 group 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key blablablablablabla
crypto map OUTSIDE-CRYPTO-MAP interface outside
Static NAT Example:
access-list VPN-STATIC-NAT permit ip host 192.168.100.x 255.255.255.255 192.168.201.0
255.255.255.0
static (inside,outside) 192.168.200.x
access-list VPN-STATIC-NAT
HTH
06-06-2007 11:39 PM
Hi,
I have a same problem and i have NAT my local IP before sending to one IPSEC tunnel due to customer policy. I am still unable to NAT using Policy Based NAT on PIX 515E 7.0, I feel like there is a global pool is missing in above configuration example.
global (outside) 2 192.168.200.0 255.255.255.0
please confirm or the posted example is workable.
Thanks,
Umair.
06-07-2007 07:57 AM
I have used this setup in several cases. Post your cleaned up config and let everyone look at it to help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide