Site-Site with same networks

Unanswered Question
Sep 7th, 2009


I want to know if is possible create a VPN where the remote and local network be the same, and what requirements this has.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
svelasquez Tue, 09/08/2009 - 06:28

Ok, but when i make a Policy NAT i translate my LAN network to another ip that by routing can access to the remote network, but in my case i need this

I have an ASA 5505 and a 1700 router, they make the vpn and works fine, my asa has the LAN and the 1700 the, the thing is that i need to change the network in the asa to and both branchs must have communication

I hope be clear


JORGE RODRIGUEZ Tue, 09/08/2009 - 07:27

Sebastian, I miss understood your initial post..

You are saying that you current have disimilar LANs yours being adn other end is and vpn tunnel is fine.

But your requirements is to have both ends be the same network network? if so you will have overlaping networks, even if you use policy nat to present your from the ASA as network is not going to work.

Is there a reason behind your requirements to have both LANs over the tunnel be the same?

svelasquez Tue, 09/08/2009 - 07:39

Jorge, thath's rigth

I have disimilar LANs with and and in that case the tunnel is fine.

The reason what i need to change the lan network in the ASA is because in the remote network there is an ISP that have the routes to access remote networks and no authorized the creation of a static route to know the network of the asa through the tunnel, so i think that if i create a tunnel having the sames networks can work


JORGE RODRIGUEZ Tue, 09/08/2009 - 08:02

Understood.. but what routes do you required in the far router? are you refering to requiring static routes to get to other networks behind your ASA through that tunnel?

svelasquez Tue, 09/08/2009 - 08:23

The far router manage the routes to other cities that i need access, and how they don't create the route to know the network behind the tunnel i can't access to other cities, so if i could have the same network address in the ASA LAN i can routing how i need

JORGE RODRIGUEZ Tue, 09/08/2009 - 08:54

I think Im understanding your topology,in your current L2L tunnel you should be able to add those networks the router connects to into your Ipsec policy interesting traffic and be able to access those networks from the ASA side, have you try adding those remote networks in your Ipsec policy?

svelasquez Tue, 09/08/2009 - 12:18

Well, but if i add the routes in the tunnel and the far router has not routes to return the information i willn't see the remote networks.

Example: ASA: 1700: FARouter: Another net:

If no exist the route add command in the FARouter i have not chance of access the or i don't see how through the tunnel

Or if you can explane me more i appreciate it

JORGE RODRIGUEZ Tue, 09/08/2009 - 14:36

Do you have a simple graph you can post we can see topoloy, Im confused, if at FArouter1700 is routing net that is directly connected to that router say from another interface I still do not believe you have to place a route there for that router to know about ASA

The FarRouter1700 already routes net and I believe by puting network in your tunnel policy access list, ASA_192.168.2.0 should be able to talk to that network.

now if is not a directly connected network to the 1700 but is being routed via another interface from the 1700 router remote network then I could say you will need a route on that far end router where actually resides pointing to the 1700 router...

How is network learnd at the 1700 router.. again if you could post a simple diagram that would help.

I think what you are trying to do is to place that static route in the 1700 series so it can propagate to other remote network off the 1700?

svelasquez Tue, 09/08/2009 - 15:10

I have the second case

if is not a directly connected network to the 1700 but is being routed via another interface from the 1700 router remote network then I could say you will need a route on that far end router where actually resides pointing to the 1700 router...

But the problem is that the routers admins of the other router not authorized the creation of the route to go to my asa network, so i can't access to the network

JORGE RODRIGUEZ Tue, 09/08/2009 - 19:09

Sebastian, thanks for the diagram.., that indeed is a big problem not being able to place route pointing to as seen in diagram.. with that static route there in adition to adding in the tunnel policy I could be very sure ASA_192.168.2.0 will talk to that network .. can you present to your management the need to have that done and escalate to the ISP if router is not managed by you?

lest say above static routes cannot be put in place anyhow.

Im thinking that maybe, just maybe.. you could allocate/reserve an IP from the 192.168.1.x net say to not be in any way used in this network and use that IP in ASA to PAT network from the ASA side when going to but to be honest I don't know if it will actually work.. I could be totaly wrong with this scenario, additionally it will change the whole expectrum of your current tunnel config to end up with non-working scenario.. I would have to lab this out but do not have the time at this moment and would not recommend to go any other way to make this simple ... your best bet is placing those routes as you have originally thought.. route via and acl taylor in tunnel policy should do the trick.

Perhaps others netpro may share some other thoughts on this..



This Discussion