×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

site to site VPN overlapping subnets on Cisco ASA 5540

Unanswered Question
Jun 23rd, 2009
User Badges:

I am looking for some advice on how to properly setup a site to site VPN when there's overlapping subnets.


i.e. if you have 172.16.x.x on both sides of the tunnel.


I have set this up before and here's my config but I'm not sure if this is the best way to do it.


access-list outboundpolicy_NAT extended permit ip 172.31.21.0 255.255.255.128 19

2.168.0.0 255.255.248.0


static (outside,inside) 192.168.0.0 172.16.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.0.0 access-list outboundpolicy_NAT


On the VPN tunnel, I configured this ACL:


access-list tac-VPN-domain extended permit ip 192.168.0.0 255.255.248.0 172.16.0.0 255.255.248.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Tue, 06/23/2009 - 19:03
User Badges:
  • Bronze, 100 points or more

If both sides are using identical encryption domains, you'll need to:


a.) Configure Policy NAT on both ends of the tunnel


b.) Use a Public <-> Private or Public <-> Public VPN connection


c.) Change the internal subnet of one firewall.



The key thing to remember about option A it that you have to policy NAT on both sides since the subnets are identical:


Example of config on ASA:


access-list Policy_NAT extended permit ip


static (inside,outside) access-list Policy_NAT


access-list crypto_ACL extended permit ip


Also remember that the policy NAT static statement will need to be located above any other static NAT statements.

Actions

This Discussion