05-03-2016 07:13 AM - edited 03-12-2019 12:41 AM
All,
I have a quick question which is a source of discussions at the office. I contend that when VLAN information is sent through a Site to Site Connection and is natted, there is no need for the other end to have the same vlan information on firewall. Am I correct? If not why?
05-03-2016 07:31 AM
Hi James,
From VLAN
As a thumb rule for VPN both the sides should not have overlapping subnets.
To overcome this we usually NAT the real traffic at one end to a different IP/subnet.
Here is the config example:
https://supportforums.cisco.com/document/51491/asa-bi-directional-overlapping-nat-example-configuration
Regards,
Aditya
Please rate helpful posts.
05-03-2016 08:43 AM
The document is a good answer to that question but I need more clarity. So if I nat everything through the Site to Site tunnel. An IP address from a ISP connection would work. That brings me back to my initial question. Since I have this ISP with a different IP. Do I need to send my VLAN information to the Core Router.
05-04-2016 12:05 PM
Hi James,
Could you please elaborate your requirement and give some example to explain the problem you want to discuss.
It would help in suggsting apt solution.
RS
05-04-2016 04:11 PM
05-09-2016 04:55 AM
I guess my real question is with me using this base configuration at many sites will it cause a routing loop? since i will be sourcing the VLAN (250) from the FW and from the remote router! will the tunnel not see the ip address of the VLAN 250?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide