Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
8
Replies

Configuring VPN with same subnet on both the end

Anand Narayana
Level 6
Level 6

‎07-01-2008 04:26 PM - edited ‎02-21-2020 03:47 PM

I have Cisco ASA on both the locations & wanted to establish site-to-site VPN with the same subnet. Reason behind to setup the same subnet on both the locations is, I am planning to setup a MS-Exchange Server 2000, one as a Primary on Location-A & Secondary in Location-B, this configuration requires to sync each other only when it fall under the same subnet. One server I will be placing it in Location-A & the IP is 192.168.1.1. On Location-B Secondary MS-Exchange IP is 192.168.1.2. requirement, when I ping 192.168.1.2 on Primary Server from Location-A it has to ping on the Location-B's MS-Exchange Server.

Any Idea how to setup same subnet VPN on cisco ASA?

Labels:
0 Helpful
8 Replies 8

andrew.prince
Level 10
Level 10

‎07-04-2008 06:11 AM

Anand,

Never heard of that before, never done it but you could try splitting the subnet up say into /128 then you could have 1 half on site A, the other half on site B.

The routing/VPN devices can handle the traffic. You would just configure a /24 on the server NIC cards, to they would still think they were on the same wire?

HTH.

0 Helpful

Anand Narayana
Level 6
Level 6
In response to andrew.prince

‎07-04-2008 07:02 AM

Hey Andrew,

The answer for so excellent. Thank you so much, I never even thought about this. Thank you so much once again.

0 Helpful

andrew.prince
Level 10
Level 10
In response to Anand Narayana

‎07-04-2008 07:11 AM

Hey Anand,

Not a problem glad to help - reply to let us know how it goes, and if it works?

0 Helpful

singhsaju
Level 4
Level 4
In response to andrew.prince

‎07-07-2008 11:00 AM

Andrew,

Though it seems it might work. But there could be routing issue here as the packets will stay on one side of VPN as they will see Site B exchange server to be locally present.

Saju

0 Helpful

andrew.prince
Level 10
Level 10
In response to singhsaju

‎07-08-2008 06:06 AM

Saju,

I have been on vacation. I'm not sure I understand, of exchange server A is in site A subnet - and exchange server B is in site B subnet - what would see it locally present?

0 Helpful

singhsaju
Level 4
Level 4
In response to andrew.prince

‎07-08-2008 11:45 AM

what i mean is that if you configure /24 ip address on the Exchange server A and if it needs to talk to exchange server B (which has same subnet ip address /24 ) then those packets will never go beyond gateway(ASA doing IPsec vpn) .

Saju

0 Helpful

andrew.prince
Level 10
Level 10
In response to singhsaju

‎07-08-2008 11:07 PM

By default "ip proxy-arp" is enabled on routers, if you have not disabled it, the above issue should not be a problem.

0 Helpful

5220
Level 4
Level 4
In response to andrew.prince

‎07-08-2008 11:48 PM

From my information you cannot do this kind of setup.

Please also remember that on a Cisco device, the connected subnets are having a better administrative distance than static routes. So the router/firewall/switch will not take in consideration a routing for the /24 over the VPN if the /24 is directly connected.

What you can do is enable parts of that /24 over the VPN (as /25, /26 ..../32) and locally configure a subnet also smaller than /24, so that no overlapping is taking place.

Please rate if this helped.

Regards,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents