Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
6
Helpful
5
Replies

IPSEC VPN Connections with overlapping remote site addresses

mitchen
Level 2
Level 2

‎01-06-2009 07:01 AM - edited ‎02-21-2020 04:06 PM

We have an ASA at our head office which terminates the IPSEC VPN connections from our ADSL connected remote offices.

We have the situation where some of our head office users require access to systems on a 3rd party site. We would like to simply set up an IPSEC VPN connection to this 3rd party site in a similar way as we do with our own remote offices.

The problem is, the internal private addressing used by the 3rd party overlaps with the private addressing used at some of our remote sites.

e.g. we have something like this:

Head Office subnet - 192.168.x.x

Remote Office 1 - 10.1.x.x

Remote Office 2 - 10.2.x.x

Remote Office 3 - 10.3..x.x

3rd Party Office - 10.x.x.x

It would only be the head office that would require connectivity with the 3rd party office. However, the head office also requires access to our similarly addressed remote offices. Is there any way we can achieve this connectivity without having to re-address the sites and without disrupting connectivity to the remote offices?

Any suggestions?

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎01-06-2009 07:49 AM

The ASA allows Policy-Based NAT

You configure a static nat entry the relies on an acl.

The acl is the source of your network/device to the remote 3rd party host/network.

You then configure a interesting traffic ACL with the source NAT address to the remote 3rd party.

HTH>

mulatif
Cisco Employee
Cisco Employee

‎01-06-2009 08:08 AM

Hi,

This might help

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

This is for two IOS routers but you will apply the same NAT principles on the ASA by using the 'static...' statement.

Thanks,

Naman

mitchen
Level 2
Level 2
In response to mulatif

‎01-06-2009 08:43 AM

Andrew - thanks, could you expand on your suggestion some more?

Naman - thanks, I'm not sure exactly how to apply that to this particular situation though? (As the head office subnet doesn't actually overlap with the 3rd party subnet but its some of our remote sites that do - I don't want to disrupt connectivity from head office to the remote sites though)

0 Helpful

andrew.prince
Level 10
Level 10
In response to mitchen

‎01-06-2009 08:56 AM

Ahhh I re-read your post and mu suggestion was for something different, but it still kinda holds true.

You could do a policy based NAT on the remote 3rd party into your network, but I would think a static 1 to 1 should do the trick.

But I would try seomthing like:-

static (outside,inside) x.x.x.x y.y.y.y netmask z.z.z.z

x.x.x.x = NAT address you would like that does NOT conflict on your network, like 192.168.1.1

y.y.y.y = real 3rd party IP address, like 10.1.1.1

z.z.z.z = network subnet mask, like a specific host 255.255.255.255

so the above would read:-

static (outside,inside) 192.168.1.1 10.1.1.1 netmask 255.255.255.255

If the remote 3rd party has multiple addresses you could do multiple static NAT statements or NAT the whole network range.

Then onces you have NATT'd the remote end - your VPN acl would just use a desintation IP address of the NATT'd IP not the real IP.

HTH>

0 Helpful

kylerossd
Level 4
Level 4
In response to andrew.prince

‎01-06-2009 02:45 PM

You will need to double nat to get return traffic to your remote sites.

0 Helpful
Customers Also Viewed These Support Documents