site to site VPN overlapping subnets on Cisco ASA 5540

Unanswered Question

I am looking for some advice on how to properly setup a site to site VPN when there's overlapping subnets.


i.e. if you have 172.16.x.x on both sides of the tunnel.


I have set this up before and here's my config but I'm not sure if this is the best way to do it.


access-list outboundpolicy_NAT extended permit ip 172.31.21.0 255.255.255.128 19

2.168.0.0 255.255.248.0


static (outside,inside) 192.168.0.0 172.16.0.0 netmask 255.255.248.0

static (inside,outside) 192.168.0.0 access-list outboundpolicy_NAT


On the VPN tunnel, I configured this ACL:


access-list tac-VPN-domain extended permit ip 192.168.0.0 255.255.248.0 172.16.0.0 255.255.248.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Tue, 06/23/2009 - 19:03
User Badges:
  • Bronze, 100 points or more

If both sides are using identical encryption domains, you'll need to:


a.) Configure Policy NAT on both ends of the tunnel


b.) Use a Public <-> Private or Public <-> Public VPN connection


c.) Change the internal subnet of one firewall.



The key thing to remember about option A it that you have to policy NAT on both sides since the subnets are identical:


Example of config on ASA:


access-list Policy_NAT extended permit ip


static (inside,outside) access-list Policy_NAT


access-list crypto_ACL extended permit ip


Also remember that the policy NAT static statement will need to be located above any other static NAT statements.

Actions

This Discussion