Site to Site VPN same network

Unanswered Question
Sep 16th, 2009

I have an ASA5520 running 8.0.4. I need to create a tunnel with a vendor using the same internal network as we are. They are unable NAT on their side. I would like both sides to be able to bring up the tunnel. They are using 10.2.x.x/16 as their internal network, as are we. The interesting traffic on my side would come from the nodes 10.0.194.1 and 10.0.194.5. How do I configure my side of the tunnel to get this to work?

Thanks,

Keith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Thu, 09/17/2009 - 08:57

Hello Keith,

I read through your question and it seems like your side will need to encrypt only 10.0.194.4 and 10.0.194.5 hosts to the remote peer 10.2.x.x/16

So, you should be able to bring up the tunnel and pass traffic without any issues.

If, they have the same network 10.0.194.x on their end as well, then you can do something called as policy NAT.

Please look at the link given below:

http://tinyurl.com/2ej2es

OR

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

In the above example, the 192.168.1.0 network on PIX-A side is getting policy NAT to 172.18.1.0 when the traffic is meant to go for 10.1.0.0/24 network.

**********

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

static (inside,outside) 172.18.1.0 access-list policy-nat

********************

Hope this helps.

Thanks

Gilbert

ancarr@northoaks.org Thu, 09/17/2009 - 09:03

We use the 10.2.x.x network internally already. So I can't route traffic destined for 10.2.x.x to a different location.

Thanks,

Keith

Actions

This Discussion