Solved: vpn between 2 offices with vlans

acleri · ‎04-29-2010

Hi,

we have a remote office that is connected to our network with a laser brigde, this bridge transport severals vlans as a trunk.

One of the laser is now out of service and considerede that they're are really expensive we want to replace this connection with a vpn.

In our head office we have a cisco asa cluster in failover and now we bought a new cisco asa for the branch office.

On the remote office we have severals vlan that should be connected with the vlans in the head office and we want to avoid to change the ip addressing.

To resume, I need to connect 2 offices that since now were connected at Layer2 with at bridge wireless trunk with a new vpn on cisco ASA,without having to change the ip addresses in the remote office so that a pc in the remote office on vlan10 with address 10.0.0.10 should be able to contact a server in the head office in vlan10 with ip address 10.0.0.1.

Is it this scenario possible?

thanks

Federico Coto Fajardo · ‎04-29-2010

Who's Ricardo? ;-)

Remote Office:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

Branch Offices:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

The way to solve the overlapping issue, is to configure NAT through the tunnel.
The idea is to NAT on both sides, so that each other will think that the remote VLAN is a different subnet.

i.e
Remote Office:
vlan10 10.10.0.0/24
vlan20 10.20.0.0/24
vlan30 10.30.0.0/24

Branch Offices:
vlan10 10.40.0.0/24
vlan20 10.50.0.0/24
vlan30 10.60.0.0/24

In this way you can have communication through the tunnel without overlapping problems.

Federico.

View solution in original post

Federico Coto Fajardo · ‎04-29-2010

Hi,

I don't see why you can't keep your current IP addressing sheme.

You're gong to migrate to a L2L tunnel between the ASAs in the main office and an ASA on the branch office.

What networks do you have on each side that need to communicate through the tunnel?

How is your current IP scheme?

Federico.

acleri · ‎04-29-2010

Hi Ricardo,

On the remote office I have 3 vlan

vlan10 172.10.0.0/24

vlan20 172.20.0.0/24

vlan30 172.30.0.0/24

The same vlans with same addresses exist on the branch offices.

I can't understand how for example a client on vlan10 with ip address 172.10.0.10/24 in remote office can communicate with a server in the same vlan with address 172.10.0.1/24, considered that are in the same subnet the client request will remain on the same vlan and not forwareded to the asa.

It would be perfect If I can create a L2 bridge betweend the offices using ASA like the lasers but from my knowledge is not possible?

How can I solve it?

ANdrea

Federico Coto Fajardo · ‎04-29-2010

Who's Ricardo? ;-)

Remote Office:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

Branch Offices:
vlan10 172.10.0.0/24
vlan20 172.20.0.0/24
vlan30 172.30.0.0/24

The way to solve the overlapping issue, is to configure NAT through the tunnel.
The idea is to NAT on both sides, so that each other will think that the remote VLAN is a different subnet.

i.e
Remote Office:
vlan10 10.10.0.0/24
vlan20 10.20.0.0/24
vlan30 10.30.0.0/24

Branch Offices:
vlan10 10.40.0.0/24
vlan20 10.50.0.0/24
vlan30 10.60.0.0/24

In this way you can have communication through the tunnel without overlapping problems.

Federico.

acleri · ‎04-29-2010

Hi Federico ;-)

but with this configuration the client on remote office 172.10.0.100 that want to connect to server in the head office at 172.10.0.1 should now address the request to 10.10.0.1 so is forwarded to the ASA?

Federico Coto Fajardo · ‎04-29-2010

Yes.

If the client on the remote office 172.10.0.100 still sends requests to the server in the head end
172.10.0.1, the traffic is going to stay locally and not sent through the tunnel as you mentioned.

So, in order to allow communication between overlapping remote networks, you should NAT the traffic.

Federico.

acleri · ‎04-29-2010

OK, clear! Best would be to have the same l2 trunk between the offices using vpn.

Do you know a solution tha is able to provide l2 vpn?

Andrea

Federico Coto Fajardo · ‎04-29-2010

What is your current WAN connections between your offices?
For example, if you have Frame-Relay or L2 MPLS, you can communicate with L2 VPNs.
It will depend on the WAN media that you have.

Federico.

acleri · ‎04-29-2010

Our WAN are simple DSL connections.

I took a look on the easyvpn solution but it seems not possible to implement a L2 vpn.

Federico Coto Fajardo · ‎04-29-2010

EzVPN is still IPsec (which is L3 by all means)
L2 VPNs are only L2 WANs like Frame-Relay and ATM
I would suggest since you have DSL connections to go with the L3 IPsec VPNs and NAT the traffic.
Is this not an option for you?

Federico.

acleri · ‎04-29-2010

I'll follow your suggestion.

Federico, many thanks for your help.

Ciao.

Andrea