Site to Site VPN - ASA to PIX - Same Subnet Inside

Answered Question
Dec 6th, 2010
User Badges:

Chaps,


I have an unusual scenario whereby i require a site to site vpn tunnel between a version 7 cisco pix and a version 8 cisco asa which have the same ip subnet at each endpoint.  Is it possible to create such a site to site tunnel or will i need to change one of the remote endpoints?


Thanks


Nick

Correct Answer by Federico Coto F... about 6 years 5 months ago

Hi Nicholas,


To allow the traffic to flow through the tunnel when having the same addressing scheme on both ends, you should NAT the VPN traffic.


ie.

Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24


Site A config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT


access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Site B config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT


access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


The idea is that Site A will be translatefd to 192.168.1.0 when going to Site B, and Site B will be translated to 192.168.2.0 when going to Site A.


Hope it makes sense.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Mon, 12/06/2010 - 07:07
User Badges:
  • Green, 3000 points or more

Hi Nicholas,


To allow the traffic to flow through the tunnel when having the same addressing scheme on both ends, you should NAT the VPN traffic.


ie.

Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24


Site A config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT


access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


Site B config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT


access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


The idea is that Site A will be translatefd to 192.168.1.0 when going to Site B, and Site B will be translated to 192.168.2.0 when going to Site A.


Hope it makes sense.


Federico.

Actions

This Discussion