Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
10
Helpful
7
Replies

remote l2l peer has same subnet with our local

husycisco
Level 7
Level 7

‎12-04-2007 01:59 AM - edited ‎03-11-2019 04:38 AM

Hi

I am abouto to establish a l2l tunnel with remote site. But they say that my local network 10.10.10.0/24 is already in use at their site, so they want me to NAT my local network and go through the tunnel. I have ASA 5540. I have just 3 hosts in here to communicate over tunnel 10.10.10.x 10.10.10.y and 10.10.10.z So in this case I can establish this by

remote network=20.20.20.0/24

access_list x permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 5 access-list x

global (outside) 5 somerealIPs of my outside interface here

I assume above is correct. But I dont want to waste my real IPs at outside interface. Can I write a random IP like

global (outside) 5 192.168.100.0 255.255.255.248

then modify the match ACL of vpn tunnel as

access-list matchacl permit ip 192.168.100.0 255.255.255.248 20.20.20.0 255.255.255.0

Is this correct? Or any other suggestions?

Labels:
0 Helpful
7 Replies 7

chris.russell
Level 1
Level 1

‎12-04-2007 02:09 AM

Hi,

From my knowledge your configuration looks fine.

The only caveat I can see is that you will need to ensure the hosts talking over the VPN are not natted by any previous NAT statements. This may mean you need to use ACL's rather than nat statements.

Cheers

Chris

ps: please rate :)

Jon Marshall
Hall of Fame
Hall of Fame

‎12-04-2007 02:25 AM

Hi

This looks fine as long as the remote site does not need to intitiate any of the connections to your end. If they do you will need to setup static translations otherwise they will not be able to connect.

Jon

chris.russell
Level 1
Level 1
In response to Jon Marshall

‎12-04-2007 02:27 AM

Hi Jon,

Out of interest and completeness, would this then be an inside-inside static or outside-outside.

Cheers

Chris

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chris.russell

‎12-04-2007 02:31 AM

Chris

It would be a "static (inside,outside) ...." because you are presenting the addresses to the remote end.

You raise an interesting point though. You will need them to NAT their 10.x.x.x addresses as well because if they don't when they enter you LAN after being Natted from 192.168.x.x the destination of the packet will 10.x.x.x and the source will be 10.x.x.x.

So either they need to NAT their source IP's or you need to NAT them.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to chris.russell

‎12-04-2007 07:13 AM

Chris

Apologies, please ignore previous bit about having to NAT their source IP addresses. For some reason i assumed they were using 10.x.x.x addressing as well but they aren't.

The bit about the static command still

stands though.

Jon

0 Helpful

husycisco
Level 7
Level 7

‎12-04-2007 03:09 AM

Thanks for contributing guys

So following is OK

remote network=20.20.20.0/24

access_list x permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 5 access-list x

global (outside) 5 192.168.100.0 255.255.255.248

access-list matchacl permit ip 192.168.100.0 255.255.255.248 20.20.20.0 255.255.255.0

static (inside,outside) 10.10.10.x 192.168.100.x netmask 255.255.255.0

static (inside,outside) 10.10.10.y 192.168.100.y netmask 255.255.255.0

static (inside,outside) 10.10.10.z 192.168.100.z netmask 255.255.255.0

As I mentioned, my outside interface has a real IP like 212.xx.34.xx/29. In this case, outside interface is aware of 212.xx.34.xx/29 network so I can write ACL like

access-list outside_access_in permit tcp any host 212.xx.34.xx eq 3389

access-list outside_access_in permit tcp any host 212.xx.34.xy eq 3389

access-list outside_access_in permit tcp any host 212.xx.34.xz eq 3389

access-group outside_access_in in interface outside

Here is the issue. I have to apply ACLs for following statics

static (inside,outside) 10.10.10.x 192.168.100.x netmask 255.255.255.0

static (inside,outside) 10.10.10.y 192.168.100.y netmask 255.255.255.0

static (inside,outside) 10.10.10.z 192.168.100.z netmask 255.255.255.0

access-list xxxx permit ip 20.20.20.0 255.255.255.0 192.168.100.0 255.255.255.248

xxxx should be outside_access_in ? If yes how does ASA know that 192.168.100.0 network is on outside? because of the global statement?

Is above the only way for achieving what I want, or are there any alternates?

Regards

0 Helpful

husycisco
Level 7
Level 7
In response to husycisco

‎12-04-2007 03:11 AM

sorry statics should be

static (inside,outside) 192.168.100.x 10.10.10.x netmask 255.255.255.0

static (inside,outside) 192.168.100.y 10.10.10.y netmask 255.255.255.0

static (inside,outside) 192.168.100.z 10.10.10.z netmask 255.255.255.0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card