Solved: Site to Site VPN - ASA to PIX - Same Subnet Inside

Nicholas Beard · ‎12-06-2010

Chaps,

I have an unusual scenario whereby i require a site to site vpn tunnel between a version 7 cisco pix and a version 8 cisco asa which have the same ip subnet at each endpoint. Is it possible to create such a site to site tunnel or will i need to change one of the remote endpoints?

Thanks

Nick

Federico Coto Fajardo · ‎12-06-2010

Hi Nicholas,

To allow the traffic to flow through the tunnel when having the same addressing scheme on both ends, you should NAT the VPN traffic.

ie.

Site A LAN 10.1.1.0/24

Site B LAN 10.1.1.0/24

Site A config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

static (in,out) 192.168.1.0 access-list NAT

access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Site B config:

access-list NAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

static (in,out) 192.168.2.0 access-list NAT

access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The idea is that Site A will be translatefd to 192.168.1.0 when going to Site B, and Site B will be translated to 192.168.2.0 when going to Site A.

Hope it makes sense.

Federico.

View solution in original post

Federico Coto Fajardo · ‎12-06-2010