VLANs with Site To Site conncetions

james.king14 · ‎05-03-2016

All,

I have a quick question which is a source of discussions at the office. I contend that when VLAN information is sent through a Site to Site Connection and is natted, there is no need for the other end to have the same vlan information on firewall. Am I correct? If not why?

Aditya Ganjoo · ‎05-03-2016

Hi James,

From VLAN information I understand you are referring to the subnet used on one end.

As a thumb rule for VPN both the sides should not have overlapping subnets.

To overcome this we usually NAT the real traffic at one end to a different IP/subnet.

Here is the config example:

https://supportforums.cisco.com/document/51491/asa-bi-directional-overlapping-nat-example-configuration

Regards,

Aditya

Please rate helpful posts.

james.king14 · ‎05-03-2016

The document is a good answer to that question but I need more clarity. So if I nat everything through the Site to Site tunnel. An IP address from a ISP connection would work. That brings me back to my initial question. Since I have this ISP with a different IP. Do I need to send my VLAN information to the Core Router.

Rishabh Seth · ‎05-04-2016

Hi James,

Could you please elaborate your requirement and give some example to explain the problem you want to discuss.

It would help in suggsting apt solution.

RS

james.king14 · ‎05-04-2016

Hi Rishabh,

I am having an issue with routing over a S2S VPN. I have several tunnel and trying to add a device. I put an ACL on the switch and added statement to allow communications within the tunnel yet I cannot see the device at the remote end.

james.king14 · ‎05-09-2016

I guess my real question is with me using this base configuration at many sites will it cause a routing loop? since i will be sourcing the VLAN (250) from the FW and from the remote router! will the tunnel not see the ip address of the VLAN 250?