site-site VPN. remote site has same private network id

sbantz · ‎06-06-2007

We are trying to plan a site-site vpn connecting our corporate network to a vendor's network. Both firewalls are Cisco ASA 5510s. The problem is, their private network ID matches a network ID that exists on our private WAN, which is 192.168.100.0/24. This network id is what actually connects interfaces of our remote site routers via fiber. But, I digress. How is the tunnel going to be established with the remote network given that the destination network matches a network id on our own WAN? Will I have to use NAT?

Thanks for any insight. We have successfully set up site-sites with this firewall, but I have never run into a problem where the destination network happens to match one of our internal ids on the WAN.

Jon Marshall · ‎06-06-2007

Hi

Yes you will have to use NAT. If the traffic is intitiated from both ends of the VPN then you will need to NAT both networks and present them internally to each LAN as some other network address range. So at your end you need to present to your internal users the remote 192.168.100.0/24 addresses as a different network range and so will the customer.

HTH

Jon

palomoj · ‎06-06-2007

Both sides could use policy NAT and/or statics (depending on your traffic flow & direction) for the VPN.

Example:

[192.168.100.0/24]-----[ASA]-----[ASA]-----[192.168.100.0/24]

You can NAT your end to 192.168.200.0/24 and the other remote end can NAT their end to 192.168.201.0/24.

[192.168.200.0/24]-----[ASA]-----[ASA]-----[192.168.201.0/24]

Policy NAT Example:

access-list VPN-TO-???-NAT-ACL permit ip 192.168.100.0 255.255.255.0 192.168.201.0 255.255.255.0

nat (inside) 2 access-list VPN-TO-???-NAT-ACL

access-list VPN-TO-???-ACL permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE-CRYPTO-MAP 1 match address VPN-TO-???-ACL

crypto map OUTSIDE-CRYPTO-MAP 1 set peer x.x.x.x

crypto map OUTSIDE-CRYPTO-MAP 1 set transform-set ESP-AES-SHA

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes

isakmp policy 1 hash sha

isakmp policy 1 group 2

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key blablablablablabla

crypto map OUTSIDE-CRYPTO-MAP interface outside

Static NAT Example:

access-list VPN-STATIC-NAT permit ip host 192.168.100.x 255.255.255.255 192.168.201.0

255.255.255.0

static (inside,outside) 192.168.200.x

access-list VPN-STATIC-NAT

HTH

mumairabbasi · ‎06-06-2007

Hi,

I have a same problem and i have NAT my local IP before sending to one IPSEC tunnel due to customer policy. I am still unable to NAT using Policy Based NAT on PIX 515E 7.0, I feel like there is a global pool is missing in above configuration example.

global (outside) 2 192.168.200.0 255.255.255.0

please confirm or the posted example is workable.

Thanks,

Umair.

palomoj · ‎06-07-2007

I have used this setup in several cases. Post your cleaned up config and let everyone look at it to help you.